diff --git a/CHANGELOG.md b/CHANGELOG.md
index 76c62bb3df6..9c6bbab178a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+# v4.0.7 (2023-11-14)
+
+## Features
+
+* Release ATT&CK content version 14.1.
+  See detailed changes [here](https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.1).
+
 # v4.0.6 (2023-10-31)
 
 ## Features
diff --git a/attack-theme/templates/general/attack-index.html b/attack-theme/templates/general/attack-index.html
index 57c613f7913..533fde64265 100644
--- a/attack-theme/templates/general/attack-index.html
+++ b/attack-theme/templates/general/attack-index.html
@@ -59,10 +59,13 @@
                             <a class="twitter-timeline" href="https://twitter.com/MITREattack?ref_src=twsrc%5Etfw" data-theme="light" data-height="388">Tweets by MITREattack</a>
                             <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
                         </div> -->
+                    </div> <!-- Comment this line for attack box -->
+                    <div class="col"> <!-- Comment this line for attack box -->
                         <p class="text-justify">MITRE ATT&CK<sup>&reg;</sup> is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.</p>
                         <p class="text-justify">With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world &mdash; by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.</p>
                     </div>
-                    <div class="col">
+                    <!-- Uncomment below lines for attack box -->
+                    <!-- <div class="col">
                         <div class="attack-box">
                             <img width="100%" height="52%" src="/theme/images/halloween.jpg" alt="ATT&CKcon 4.0">
                                 <center>
@@ -74,7 +77,7 @@ <h2 class="attack-box-heading">
                                     </h2>
                                 </center>
                         </div>
-                    </div>
+                    </div> -->
                 {% else %}
                     <p class="text-justify">
                         MITRE ATT&CK<sup>&reg;</sup> is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
diff --git a/data/versions.json b/data/versions.json
index 752353e8cb5..9f571818d19 100644
--- a/data/versions.json
+++ b/data/versions.json
@@ -1,9 +1,9 @@
 {
     "current": {
-        "name": "v14.0",
+        "name": "v14.1",
         "date_start": "October 31, 2023",
         "changelog": "updates-october-2023",
-        "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.0"
+        "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.1"
     },
     "previous": [
         {
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index 8347a2626d5..b8c2c278784 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -86,6 +86,17 @@ If you are only updating the banner and nothing else, follow these steps.
 
 Consult these sections as needed for step 5 in the above list.
 
+* Create a detailed changelog for the release:
+  * Create a new folder: `modules/resources/docs/changelogs/v<previous-ATT&CK-version>-v<current-ATT&CK-version>`
+  * Create a detailed changelog using the mitreattack-python library's `diff_stix` command
+    * TODO: put specific `diff_stix` command here
+  * Manually modify the detailed changelog's href's at the top for links to the Navigator layers and changelog.json
+    * TODO: one day modify the script above to not need this edit anymore
+  * Put the following files from the `diff_stix` command into the folder created above
+    * `changelog-detailed.html`
+    * `changelog.json`
+    * Any ATT&CK Navigator layer files that were generated
+
 ### Major release
 
 * Update `data/versions.json`
@@ -111,7 +122,9 @@ Consult these sections as needed for step 5 in the above list.
   * Current: all information should reference the latest release
   * Previous: leave alone!
 * Update `modules/resources/static_pages/updates-<month>-<year>.md`
-  * Minor releases currently don't get their own update page, so update the last major release to point to the latest release version's URL
+  * Minor releases currently don't get their own update page, so make the following updates to the table at the top of the page:
+    * Under the Data column: Add a new entry for the latest tag, using `<br />` to separate them
+    * Under the Changelogs column: Add a new entry for the latest detailed changelog, for both HTML and JSON (also using `<br />` as a separator)
 * Update CHANGELOG.md
   * Add a bullet point to the Features section in the following format
 
diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/changelog-detailed.html b/modules/resources/docs/changelogs/v13.1-v14.0/changelog-detailed.html
index 9ccc37ac781..f8f108ab35c 100644
--- a/modules/resources/docs/changelogs/v13.1-v14.0/changelog-detailed.html
+++ b/modules/resources/docs/changelogs/v13.1-v14.0/changelog-detailed.html
@@ -140,13 +140,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 
 On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
 </p></details><details><summary>Major Version Changes</summary><hr><h4>[T1562.008] Impair Defenses: Disable or Modify Cloud Logs</h4><p><b>Current version</b>: 2.0</p><p><b>Version changed from</b>: 1.3 → 2.0</p>
-    <table class="diff" id="difflib_chg_to34__top"
+    <table class="diff" id="difflib_chg_to6__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to34__0"><a href="#difflib_chg_to34__top">t</a></td><td class="diff_header" id="from34_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;<span class="diff_chg">cloud&nbsp;logging</span>&nbsp;capabilities&nbsp;and&nbsp;inte</td><td class="diff_next"><a href="#difflib_chg_to34__top">t</a></td><td class="diff_header" id="to34_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;<span class="diff_chg">or&nbsp;modify&nbsp;cloud&nbsp;logging</span>&nbsp;capabilitie</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to6__0"><a href="#difflib_chg_to6__top">t</a></td><td class="diff_header" id="from6_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;<span class="diff_chg">cloud&nbsp;logging</span>&nbsp;capabilities&nbsp;and&nbsp;inte</td><td class="diff_next"><a href="#difflib_chg_to6__top">t</a></td><td class="diff_header" id="to6_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;<span class="diff_chg">or&nbsp;modify&nbsp;cloud&nbsp;logging</span>&nbsp;capabilitie</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">grations&nbsp;to&nbsp;limit&nbsp;what&nbsp;data&nbsp;is&nbsp;collected&nbsp;on&nbsp;their&nbsp;activities</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;and&nbsp;integrations&nbsp;to&nbsp;limit&nbsp;what&nbsp;data&nbsp;is&nbsp;collected&nbsp;on&nbsp;their&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;and&nbsp;avoid&nbsp;detection.&nbsp;Cloud&nbsp;environments&nbsp;allow&nbsp;for&nbsp;collectio</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">activities&nbsp;and&nbsp;avoid&nbsp;detection.&nbsp;Cloud&nbsp;environments&nbsp;allow&nbsp;for</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">n&nbsp;and&nbsp;analysis&nbsp;of&nbsp;audit&nbsp;and&nbsp;application&nbsp;logs&nbsp;that&nbsp;provide&nbsp;in</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;collection&nbsp;and&nbsp;analysis&nbsp;of&nbsp;audit&nbsp;and&nbsp;application&nbsp;logs&nbsp;that&nbsp;</td></tr>
@@ -174,13 +174,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)</td><td style='border: 1px solid black;border-collapse: collapse;'>An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
 
 For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'AWS Update Trail', 'description': 'AWS. (n.d.). update-trail. Retrieved August 4, 2023.', 'url': 'https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Pacu Detection Disruption Module', 'description': 'Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.', 'url': 'https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py'}</td></tr></tbody></table></details><hr><h4>[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</h4><p><b>Current version</b>: 2.0</p><p><b>Version changed from</b>: 1.2 → 2.0</p>
-    <table class="diff" id="difflib_chg_to6__top"
+    <table class="diff" id="difflib_chg_to30__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to6__0"><a href="#difflib_chg_to6__top">t</a></td><td class="diff_header" id="from6_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;achieve&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;program&nbsp;to&nbsp;a</span></td><td class="diff_next"><a href="#difflib_chg_to6__top">t</a></td><td class="diff_header" id="to6_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;achieve&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;program&nbsp;to&nbsp;a</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to30__0"><a href="#difflib_chg_to30__top">t</a></td><td class="diff_header" id="from30_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;achieve&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;program&nbsp;to&nbsp;a</span></td><td class="diff_next"><a href="#difflib_chg_to30__top">t</a></td><td class="diff_header" id="to30_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;achieve&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;program&nbsp;to&nbsp;a</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">&nbsp;startup&nbsp;folder&nbsp;or&nbsp;referencing&nbsp;it&nbsp;with&nbsp;a&nbsp;Registry&nbsp;run&nbsp;key.&nbsp;A</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;startup&nbsp;folder&nbsp;or&nbsp;referencing&nbsp;it&nbsp;with&nbsp;a&nbsp;Registry&nbsp;run&nbsp;key.&nbsp;A</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">dding&nbsp;an&nbsp;entry&nbsp;to&nbsp;the&nbsp;"run&nbsp;keys"&nbsp;in&nbsp;the&nbsp;Registry&nbsp;or&nbsp;startup&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">dding&nbsp;an&nbsp;entry&nbsp;to&nbsp;the&nbsp;"run&nbsp;keys"&nbsp;in&nbsp;the&nbsp;Registry&nbsp;or&nbsp;startup&nbsp;</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">folder&nbsp;will&nbsp;cause&nbsp;the&nbsp;program&nbsp;referenced&nbsp;to&nbsp;be&nbsp;executed&nbsp;when</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">folder&nbsp;will&nbsp;cause&nbsp;the&nbsp;program&nbsp;referenced&nbsp;to&nbsp;be&nbsp;executed&nbsp;when</span></td></tr>
@@ -333,13 +333,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 By default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
 
 Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Harun Küßner</td></tr></tbody></table></details></details><details><summary>Minor Version Changes</summary><hr><h4>[T1548] Abuse Elevation Control Mechanism</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Mitigations</b>:</p><ul>  <li>M1018: User Account Management</li></ul><p><b>New Detections</b>:</p><ul>  <li>DS0002: User Account (User Account Modification)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-21 12:35:07.744000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-02 00:47:11.369000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>User Account: User Account Modification</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Office 365</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>IaaS</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Google Workspace</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Azure AD</td></tr></tbody></table></details><hr><h4>[T1098] Account Manipulation</h4><p><b>Current version</b>: 2.6</p><p><b>Version changed from</b>: 2.5 → 2.6</p>
-    <table class="diff" id="difflib_chg_to25__top"
+    <table class="diff" id="difflib_chg_to17__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to25__0"><a href="#difflib_chg_to25__top">t</a></td><td class="diff_header" id="from25_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;manipulate&nbsp;accounts&nbsp;to&nbsp;maintain&nbsp;a<span class="diff_chg">ccess&nbsp;to&nbsp;vi</span></td><td class="diff_next"><a href="#difflib_chg_to25__top">t</a></td><td class="diff_header" id="to25_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;manipulate&nbsp;accounts&nbsp;to&nbsp;maintain&nbsp;a<span class="diff_chg">nd/or&nbsp;eleva</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to17__0"><a href="#difflib_chg_to17__top">t</a></td><td class="diff_header" id="from17_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;manipulate&nbsp;accounts&nbsp;to&nbsp;maintain&nbsp;a<span class="diff_chg">ccess&nbsp;to&nbsp;vi</span></td><td class="diff_next"><a href="#difflib_chg_to17__top">t</a></td><td class="diff_header" id="to17_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;manipulate&nbsp;accounts&nbsp;to&nbsp;maintain&nbsp;a<span class="diff_chg">nd/or&nbsp;eleva</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_chg">ctim</span>&nbsp;systems.&nbsp;Account&nbsp;manipulation&nbsp;may&nbsp;consist&nbsp;of&nbsp;any&nbsp;action</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_chg">te&nbsp;access&nbsp;to&nbsp;victim</span>&nbsp;systems.&nbsp;Account&nbsp;manipulation&nbsp;may&nbsp;consis</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;that&nbsp;preserves&nbsp;<span class="diff_chg">adversary&nbsp;access&nbsp;to&nbsp;a&nbsp;compromised</span>&nbsp;account,&nbsp;s</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">t&nbsp;of&nbsp;any&nbsp;action&nbsp;that&nbsp;preserves&nbsp;<span class="diff_chg">or&nbsp;modifies&nbsp;adversary&nbsp;access&nbsp;</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">uch&nbsp;as&nbsp;modifying&nbsp;credentials&nbsp;or&nbsp;permission&nbsp;groups.&nbsp;These&nbsp;act</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_chg">to&nbsp;a&nbsp;compromised</span>&nbsp;account,&nbsp;such&nbsp;as&nbsp;modifying&nbsp;credentials&nbsp;or&nbsp;p</td></tr>
@@ -359,13 +359,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. 
 
 In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.5</td><td style='border: 1px solid black;border-collapse: collapse;'>2.6</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>kill_chain_phases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Arad Inbar, Fidelis Security</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Containers</td></tr></tbody></table></details><hr><h4>[T1583] Acquire Infrastructure</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p>
-    <table class="diff" id="difflib_chg_to26__top"
+    <table class="diff" id="difflib_chg_to5__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to26__0"><a href="#difflib_chg_to26__top">t</a></td><td class="diff_header" id="from26_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;buy,&nbsp;lease,&nbsp;or&nbsp;rent&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to26__top">t</a></td><td class="diff_header" id="to26_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;buy,&nbsp;lease,&nbsp;or&nbsp;rent&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to5__0"><a href="#difflib_chg_to5__top">t</a></td><td class="diff_header" id="from5_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;buy,&nbsp;lease,&nbsp;or&nbsp;rent&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to5__top">t</a></td><td class="diff_header" id="to5_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;buy,&nbsp;lease,&nbsp;or&nbsp;rent&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;A&nbsp;wide&nbsp;variety&nbsp;of&nbsp;infrastructure&nbsp;e</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;A&nbsp;wide&nbsp;variety&nbsp;of&nbsp;infrastructure&nbsp;e</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">xists&nbsp;for&nbsp;hosting&nbsp;and&nbsp;orchestrating&nbsp;adversary&nbsp;operations.&nbsp;In</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">xists&nbsp;for&nbsp;hosting&nbsp;and&nbsp;orchestrating&nbsp;adversary&nbsp;operations.&nbsp;In</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">frastructure&nbsp;solutions&nbsp;include&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;do</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">frastructure&nbsp;solutions&nbsp;include&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;do</td></tr>
@@ -389,13 +389,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.
 
 Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant APT29 Microsoft 365 2022', 'description': 'Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.', 'url': 'https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'FBI Proxies Credential Stuffing', 'description': 'FBI. (2022, August 18). Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts . Retrieved July 6, 2023.', 'url': 'https://www.ic3.gov/Media/News/2022/220818.pdf'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Goldstein Menachem</td></tr></tbody></table></details><hr><h4>[T1098.001] Account Manipulation: Additional Cloud Credentials</h4><p><b>Current version</b>: 2.6</p><p><b>Version changed from</b>: 2.5 → 2.6</p>
-    <table class="diff" id="difflib_chg_to29__top"
+    <table class="diff" id="difflib_chg_to7__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to29__0"><a href="#difflib_chg_to29__top">t</a></td><td class="diff_header" id="from29_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;add&nbsp;adversary-controlled&nbsp;credentials&nbsp;to&nbsp;a&nbsp;cl</td><td class="diff_next"><a href="#difflib_chg_to29__top">t</a></td><td class="diff_header" id="to29_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;add&nbsp;adversary-controlled&nbsp;credentials&nbsp;to&nbsp;a&nbsp;cl</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to7__0"><a href="#difflib_chg_to7__top">t</a></td><td class="diff_header" id="from7_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;add&nbsp;adversary-controlled&nbsp;credentials&nbsp;to&nbsp;a&nbsp;cl</td><td class="diff_next"><a href="#difflib_chg_to7__top">t</a></td><td class="diff_header" id="to7_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;add&nbsp;adversary-controlled&nbsp;credentials&nbsp;to&nbsp;a&nbsp;cl</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">oud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;access&nbsp;to&nbsp;victim&nbsp;accounts</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">oud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;access&nbsp;to&nbsp;victim&nbsp;accounts</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;and&nbsp;instances&nbsp;within&nbsp;the&nbsp;environment.&nbsp;&nbsp;For&nbsp;example,&nbsp;adversa</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;and&nbsp;instances&nbsp;within&nbsp;the&nbsp;environment.&nbsp;&nbsp;For&nbsp;example,&nbsp;adversa</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ries&nbsp;may&nbsp;add&nbsp;credentials&nbsp;for&nbsp;Service&nbsp;Principals&nbsp;and&nbsp;Applicat</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ries&nbsp;may&nbsp;add&nbsp;credentials&nbsp;for&nbsp;Service&nbsp;Principals&nbsp;and&nbsp;Applicat</td></tr>
@@ -459,13 +459,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 
 In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
 (Citation: Crowdstrike AWS User Federation Persistence)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.5</td><td style='border: 1px solid black;border-collapse: collapse;'>2.6</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>kill_chain_phases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'SpecterOps Azure Privilege Escalation', 'description': 'Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.', 'url': 'https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Sysdig ScarletEel 2.0', 'description': 'SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.', 'url': 'https://sysdig.com/blog/scarleteel-2-0/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Arad Inbar, Fidelis Security</td></tr></tbody></table></details><hr><h4>[T1098.003] Account Manipulation: Additional Cloud Roles</h4><p><b>Current version</b>: 2.3</p><p><b>Version changed from</b>: 2.2 → 2.3</p>
-    <table class="diff" id="difflib_chg_to32__top"
+    <table class="diff" id="difflib_chg_to25__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to32__0"><a href="#difflib_chg_to32__top">t</a></td><td class="diff_header" id="from32_1">1</td><td nowrap="nowrap"><span class="diff_sub">An&nbsp;adversary&nbsp;may&nbsp;add&nbsp;additional&nbsp;roles&nbsp;or&nbsp;permissions&nbsp;to&nbsp;an&nbsp;a</span></td><td class="diff_next"><a href="#difflib_chg_to32__top">t</a></td><td class="diff_header" id="to32_1">1</td><td nowrap="nowrap"><span class="diff_add">An&nbsp;adversary&nbsp;may&nbsp;add&nbsp;additional&nbsp;roles&nbsp;or&nbsp;permissions&nbsp;to&nbsp;an&nbsp;a</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to25__0"><a href="#difflib_chg_to25__top">t</a></td><td class="diff_header" id="from25_1">1</td><td nowrap="nowrap"><span class="diff_sub">An&nbsp;adversary&nbsp;may&nbsp;add&nbsp;additional&nbsp;roles&nbsp;or&nbsp;permissions&nbsp;to&nbsp;an&nbsp;a</span></td><td class="diff_next"><a href="#difflib_chg_to25__top">t</a></td><td class="diff_header" id="to25_1">1</td><td nowrap="nowrap"><span class="diff_add">An&nbsp;adversary&nbsp;may&nbsp;add&nbsp;additional&nbsp;roles&nbsp;or&nbsp;permissions&nbsp;to&nbsp;an&nbsp;a</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">dversary-controlled&nbsp;cloud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;acc</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">dversary-controlled&nbsp;cloud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;acc</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ess&nbsp;to&nbsp;a&nbsp;tenant.&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;update&nbsp;IAM&nbsp;pol</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ess&nbsp;to&nbsp;a&nbsp;tenant.&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;update&nbsp;IAM&nbsp;pol</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">icies&nbsp;in&nbsp;cloud-based&nbsp;environments&nbsp;or&nbsp;add&nbsp;a&nbsp;new&nbsp;global&nbsp;admini</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">icies&nbsp;in&nbsp;cloud-based&nbsp;environments&nbsp;or&nbsp;add&nbsp;a&nbsp;new&nbsp;global&nbsp;admini</span></td></tr>
@@ -516,13 +516,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
 
 For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td><td style='border: 1px solid black;border-collapse: collapse;'>2.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>kill_chain_phases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Arad Inbar, Fidelis Security</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'SpecterOps Azure Privilege Escalation', 'description': 'Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.', 'url': 'https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Azure AD to AD', 'description': 'Sean Metcalf. (2020, May 27). From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path. Retrieved September 28, 2022.', 'url': 'https://adsecurity.org/?p=4277'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T1098.002] Account Manipulation: Additional Email Delegate Permissions</h4><p><b>Current version</b>: 2.1</p><p><b>Version changed from</b>: 2.0 → 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-19 14:55:26.110000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-03 17:38:00.554000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>kill_chain_phases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Arad Inbar, Fidelis Security</td></tr></tbody></table></details><hr><h4>[T1557] Adversary-in-the-Middle</h4><p><b>Current version</b>: 2.3</p><p><b>Version changed from</b>: 2.2 → 2.3</p>
-    <table class="diff" id="difflib_chg_to4__top"
+    <table class="diff" id="difflib_chg_to34__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to4__0"><a href="#difflib_chg_to4__top">t</a></td><td class="diff_header" id="from4_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;position&nbsp;themselves&nbsp;between&nbsp;two&nbsp;o</td><td class="diff_next"><a href="#difflib_chg_to4__top">t</a></td><td class="diff_header" id="to4_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;position&nbsp;themselves&nbsp;between&nbsp;two&nbsp;o</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to34__0"><a href="#difflib_chg_to34__top">t</a></td><td class="diff_header" id="from34_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;position&nbsp;themselves&nbsp;between&nbsp;two&nbsp;o</td><td class="diff_next"><a href="#difflib_chg_to34__top">t</a></td><td class="diff_header" id="to34_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;position&nbsp;themselves&nbsp;between&nbsp;two&nbsp;o</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">r&nbsp;more&nbsp;networked&nbsp;devices&nbsp;using&nbsp;an&nbsp;adversary-in-the-middle&nbsp;(A</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">r&nbsp;more&nbsp;networked&nbsp;devices&nbsp;using&nbsp;an&nbsp;adversary-in-the-middle&nbsp;(A</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">iTM)&nbsp;technique&nbsp;to&nbsp;support&nbsp;follow-on&nbsp;behaviors&nbsp;such&nbsp;as&nbsp;[Netwo</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">iTM)&nbsp;technique&nbsp;to&nbsp;support&nbsp;follow-on&nbsp;behaviors&nbsp;such&nbsp;as&nbsp;[Netwo</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rk&nbsp;Sniffing](https://attack.mitre.org/techniques/T1040)<span class="diff_chg">&nbsp;or</span>&nbsp;[</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rk&nbsp;Sniffing](https://attack.mitre.org/techniques/T1040)<span class="diff_chg">,</span>&nbsp;[Tr</td></tr>
@@ -566,13 +566,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)
 
 Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td><td style='border: 1px solid black;border-collapse: collapse;'>2.3</td></tr></tbody></table></details><hr><h4>[T1560.001] Archive Collected Data: Archive via Utility</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-14 19:28:21.394000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-15 19:02:53.995000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1053.002] Scheduled Task/Job: At</h4><p><b>Current version</b>: 2.1</p><p><b>Version changed from</b>: 2.0 → 2.1</p><p><b>New Detections</b>:</p><ul>  <li>DS0029: Network Traffic (Network Traffic Flow)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-18 20:12:04.110000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 21:13:52.767000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network Traffic: Network Traffic Flow</td></tr></tbody></table></details><hr><h4>[T1037] Boot or Logon Initialization Scripts</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:38.295000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 20:54:55.991000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details><hr><h4>[T1070.007] Indicator Removal: Clear Network Connection History and Configurations</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p>
-    <table class="diff" id="difflib_chg_to1__top"
+    <table class="diff" id="difflib_chg_to36__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to1__0"><a href="#difflib_chg_to1__top">t</a></td><td class="diff_header" id="from1_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;clear&nbsp;or&nbsp;remove&nbsp;evidence&nbsp;of&nbsp;malicious&nbsp;networ</td><td class="diff_next"><a href="#difflib_chg_to1__top">t</a></td><td class="diff_header" id="to1_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;clear&nbsp;or&nbsp;remove&nbsp;evidence&nbsp;of&nbsp;malicious&nbsp;networ</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to36__0"><a href="#difflib_chg_to36__top">t</a></td><td class="diff_header" id="from36_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;clear&nbsp;or&nbsp;remove&nbsp;evidence&nbsp;of&nbsp;malicious&nbsp;networ</td><td class="diff_next"><a href="#difflib_chg_to36__top">t</a></td><td class="diff_header" id="to36_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;clear&nbsp;or&nbsp;remove&nbsp;evidence&nbsp;of&nbsp;malicious&nbsp;networ</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">k&nbsp;connections&nbsp;in&nbsp;order&nbsp;to&nbsp;clean&nbsp;up&nbsp;traces&nbsp;of&nbsp;their&nbsp;operation</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">k&nbsp;connections&nbsp;in&nbsp;order&nbsp;to&nbsp;clean&nbsp;up&nbsp;traces&nbsp;of&nbsp;their&nbsp;operation</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s.&nbsp;Configuration&nbsp;settings&nbsp;as&nbsp;well&nbsp;as&nbsp;various&nbsp;artifacts&nbsp;that&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s.&nbsp;Configuration&nbsp;settings&nbsp;as&nbsp;well&nbsp;as&nbsp;various&nbsp;artifacts&nbsp;that&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">highlight&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;created&nbsp;on&nbsp;a&nbsp;system&nbsp;<span class="diff_chg">from</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">highlight&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;created&nbsp;on&nbsp;a&nbsp;system&nbsp;<span class="diff_chg">and/</span></td></tr>
@@ -625,13 +625,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
 
 Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1070.001] Indicator Removal: Clear Windows Event Logs</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><p><b>New Detections</b>:</p><ul>  <li>DS0009: Process (Process Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 15:32:03.205000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 21:43:04.568000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: Process Creation</td></tr></tbody></table></details><hr><h4>[T1136.003] Create Account: Cloud Account</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-06 21:24:56.669000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 17:34:42.544000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[T1078.004] Valid Accounts: Cloud Accounts</h4><p><b>Current version</b>: 1.6</p><p><b>Version changed from</b>: 1.5 → 1.6</p>
-    <table class="diff" id="difflib_chg_to5__top"
+    <table class="diff" id="difflib_chg_to8__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to5__0"><a href="#difflib_chg_to5__top">t</a></td><td class="diff_header" id="from5_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;obtain&nbsp;and&nbsp;abuse&nbsp;credentials&nbsp;of&nbsp;a&nbsp;cloud&nbsp;acco</span></td><td class="diff_next"><a href="#difflib_chg_to5__top">t</a></td><td class="diff_header" id="to5_1">1</td><td nowrap="nowrap"><span class="diff_add">Valid&nbsp;accounts&nbsp;in&nbsp;cloud&nbsp;environments&nbsp;may&nbsp;allow&nbsp;adversaries&nbsp;t</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to8__0"><a href="#difflib_chg_to8__top">t</a></td><td class="diff_header" id="from8_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;obtain&nbsp;and&nbsp;abuse&nbsp;credentials&nbsp;of&nbsp;a&nbsp;cloud&nbsp;acco</span></td><td class="diff_next"><a href="#difflib_chg_to8__top">t</a></td><td class="diff_header" id="to8_1">1</td><td nowrap="nowrap"><span class="diff_add">Valid&nbsp;accounts&nbsp;in&nbsp;cloud&nbsp;environments&nbsp;may&nbsp;allow&nbsp;adversaries&nbsp;t</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">unt&nbsp;as&nbsp;a&nbsp;means&nbsp;of&nbsp;gaining&nbsp;Initial&nbsp;Access,&nbsp;Persistence,&nbsp;Privi</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">o&nbsp;perform&nbsp;actions&nbsp;to&nbsp;achieve&nbsp;Initial&nbsp;Access,&nbsp;Persistence,&nbsp;Pr</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">lege&nbsp;Escalation,&nbsp;or&nbsp;Defense&nbsp;Evasion.&nbsp;Cloud&nbsp;accounts&nbsp;are&nbsp;thos</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ivilege&nbsp;Escalation,&nbsp;or&nbsp;Defense&nbsp;Evasion.&nbsp;Cloud&nbsp;accounts&nbsp;are&nbsp;t</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">e&nbsp;created&nbsp;and&nbsp;configured&nbsp;by&nbsp;an&nbsp;organization&nbsp;for&nbsp;use&nbsp;by&nbsp;users</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">hose&nbsp;created&nbsp;and&nbsp;configured&nbsp;by&nbsp;an&nbsp;organization&nbsp;for&nbsp;use&nbsp;by&nbsp;us</span></td></tr>
@@ -676,13 +676,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 
 Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. 
 </td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td><td style='border: 1px solid black;border-collapse: collapse;'>1.6</td></tr></tbody></table></details><hr><h4>[T1538] Cloud Service Dashboard</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-03-16 12:56:36.098000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 16:51:02.852000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1554] Compromise Client Software Binary</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p>
-    <table class="diff" id="difflib_chg_to11__top"
+    <table class="diff" id="difflib_chg_to9__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to11__0"><a href="#difflib_chg_to11__top">t</a></td><td class="diff_header" id="from11_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;modify&nbsp;client&nbsp;software&nbsp;binaries&nbsp;to&nbsp;establish</span></td><td class="diff_next"><a href="#difflib_chg_to11__top">t</a></td><td class="diff_header" id="to11_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;modify&nbsp;client&nbsp;software&nbsp;binaries&nbsp;to&nbsp;establish</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to9__0"><a href="#difflib_chg_to9__top">t</a></td><td class="diff_header" id="from9_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;modify&nbsp;client&nbsp;software&nbsp;binaries&nbsp;to&nbsp;establish</span></td><td class="diff_next"><a href="#difflib_chg_to9__top">t</a></td><td class="diff_header" id="to9_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;modify&nbsp;client&nbsp;software&nbsp;binaries&nbsp;to&nbsp;establish</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">&nbsp;persistent&nbsp;access&nbsp;to&nbsp;systems.&nbsp;Client&nbsp;software&nbsp;enables&nbsp;users</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;persistent&nbsp;access&nbsp;to&nbsp;systems.&nbsp;Client&nbsp;software&nbsp;enables&nbsp;users</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">&nbsp;to&nbsp;access&nbsp;services&nbsp;provided&nbsp;by&nbsp;a&nbsp;server.&nbsp;Common&nbsp;client&nbsp;soft</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;to&nbsp;access&nbsp;services&nbsp;provided&nbsp;by&nbsp;a&nbsp;server.&nbsp;Common&nbsp;client&nbsp;soft</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ware&nbsp;types&nbsp;are&nbsp;SSH&nbsp;clients,&nbsp;FTP&nbsp;clients,&nbsp;email&nbsp;clients,&nbsp;and&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ware&nbsp;types&nbsp;are&nbsp;SSH&nbsp;clients,&nbsp;FTP&nbsp;clients,&nbsp;email&nbsp;clients,&nbsp;and&nbsp;</span></td></tr>
@@ -709,13 +709,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)
 
 Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Unit42 Banking Trojans Hooking 2022', 'description': 'Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.', 'url': 'https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'ESET FontOnLake Analysis 2021', 'description': 'Vladislav Hrčka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.', 'url': 'https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf'}</td></tr></tbody></table></details><hr><h4>[T1584] Compromise Infrastructure</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p>
-    <table class="diff" id="difflib_chg_to13__top"
+    <table class="diff" id="difflib_chg_to31__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to13__0"><a href="#difflib_chg_to13__top">t</a></td><td class="diff_header" id="from13_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;compromise&nbsp;third-party&nbsp;infrastructure&nbsp;that&nbsp;c</td><td class="diff_next"><a href="#difflib_chg_to13__top">t</a></td><td class="diff_header" id="to13_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;compromise&nbsp;third-party&nbsp;infrastructure&nbsp;that&nbsp;c</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to31__0"><a href="#difflib_chg_to31__top">t</a></td><td class="diff_header" id="from31_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;compromise&nbsp;third-party&nbsp;infrastructure&nbsp;that&nbsp;c</td><td class="diff_next"><a href="#difflib_chg_to31__top">t</a></td><td class="diff_header" id="to31_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;compromise&nbsp;third-party&nbsp;infrastructure&nbsp;that&nbsp;c</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">an&nbsp;be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;Infrastructure&nbsp;solutions&nbsp;includ</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">an&nbsp;be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;Infrastructure&nbsp;solutions&nbsp;includ</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">e&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;domains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;an</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">e&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;domains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;an</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">d&nbsp;DNS&nbsp;services.&nbsp;Instead&nbsp;of&nbsp;buying,&nbsp;leasing,&nbsp;or&nbsp;renting&nbsp;infra</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">d&nbsp;DNS&nbsp;services.&nbsp;Instead&nbsp;of&nbsp;buying,&nbsp;leasing,&nbsp;or&nbsp;renting&nbsp;infra</td></tr>
@@ -752,13 +752,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)
 
 By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Sysdig Proxyjacking', 'description': 'Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.', 'url': 'https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Goldstein Menachem</td></tr></tbody></table></details><hr><h4>[T1136] Create Account</h4><p><b>Current version</b>: 2.4</p><p><b>Version changed from</b>: 2.3 → 2.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 23:24:48.840000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 17:42:28.207000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.3</td><td style='border: 1px solid black;border-collapse: collapse;'>2.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Containers</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>SaaS</td></tr></tbody></table></details><hr><h4>[T1110.004] Brute Force: Credential Stuffing</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-14 23:05:16.857000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 16:53:12.789000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[T1552.001] Unsecured Credentials: Credentials In Files</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0009: Process (Process Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Administrator', 'SYSTEM', 'User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:44.951000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-23 22:24:50.812000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: Process Creation</td></tr></tbody></table></details><hr><h4>[T1555] Credentials from Password Stores</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p>
-    <table class="diff" id="difflib_chg_to36__top"
+    <table class="diff" id="difflib_chg_to16__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to36__0"><a href="#difflib_chg_to36__top">t</a></td><td class="diff_header" id="from36_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;search&nbsp;for&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations</td><td class="diff_next"><a href="#difflib_chg_to36__top">t</a></td><td class="diff_header" id="to36_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;search&nbsp;for&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to16__0"><a href="#difflib_chg_to16__top">t</a></td><td class="diff_header" id="from16_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;search&nbsp;for&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations</td><td class="diff_next"><a href="#difflib_chg_to16__top">t</a></td><td class="diff_header" id="to16_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;search&nbsp;for&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;to&nbsp;obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;are&nbsp;stored&nbsp;in&nbsp;several</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;to&nbsp;obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;are&nbsp;stored&nbsp;in&nbsp;several</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;places&nbsp;on&nbsp;a&nbsp;system,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;ap</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;places&nbsp;on&nbsp;a&nbsp;system,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;ap</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">plication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;a</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">plication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;a</td></tr>
@@ -769,13 +769,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">estricted&nbsp;information.</td></tr>
         </tbody>
     </table><p><b>New Mitigations</b>:</p><ul>  <li>M1026: Privileged Account Management</li></ul><p><b>New Detections</b>:</p><ul>  <li>DS0025: Cloud Service (Cloud Service Enumeration)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Administrator']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-01 18:25:13.952000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-30 20:16:41.759000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Cloud Service: Cloud Service Enumeration</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>IaaS</td></tr></tbody></table></details><hr><h4>[T1552.002] Unsecured Credentials: Credentials in Registry</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Administrator', 'User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-02-07 20:49:18.834000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-28 18:29:56.525000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1485] Data Destruction</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User', 'Administrator', 'root', 'SYSTEM']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-03-25 14:47:48.728000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-03 17:30:32.192000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Joey Lei</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Containers</td></tr></tbody></table></details><hr><h4>[T1530] Data from Cloud Storage</h4><p><b>Current version</b>: 2.1</p><p><b>Version changed from</b>: 2.0 → 2.1</p>
-    <table class="diff" id="difflib_chg_to0__top"
+    <table class="diff" id="difflib_chg_to14__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to0__0"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="from0_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;access&nbsp;data&nbsp;from&nbsp;improperly&nbsp;secured&nbsp;cloud&nbsp;st</span></td><td class="diff_next"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="to0_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;access&nbsp;data&nbsp;from&nbsp;cloud&nbsp;storage.&nbsp;&nbsp;Many&nbsp;IaaS&nbsp;p</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to14__0"><a href="#difflib_chg_to14__top">t</a></td><td class="diff_header" id="from14_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;access&nbsp;data&nbsp;from&nbsp;improperly&nbsp;secured&nbsp;cloud&nbsp;st</span></td><td class="diff_next"><a href="#difflib_chg_to14__top">t</a></td><td class="diff_header" id="to14_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;access&nbsp;data&nbsp;from&nbsp;cloud&nbsp;storage.&nbsp;&nbsp;Many&nbsp;IaaS&nbsp;p</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">orage.&nbsp;&nbsp;Many&nbsp;cloud&nbsp;service&nbsp;providers&nbsp;offer&nbsp;solutions&nbsp;for&nbsp;onl</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">roviders&nbsp;offer&nbsp;solutions&nbsp;for&nbsp;online&nbsp;data&nbsp;object&nbsp;storage&nbsp;such</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ine&nbsp;data&nbsp;object&nbsp;storage&nbsp;such&nbsp;as&nbsp;Amazon&nbsp;S3,&nbsp;Azure&nbsp;Storage,&nbsp;an</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;as&nbsp;Amazon&nbsp;S3,&nbsp;Azure&nbsp;Storage,&nbsp;and&nbsp;Google&nbsp;Cloud&nbsp;Storage.&nbsp;Simi</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">d&nbsp;Google&nbsp;Cloud&nbsp;Storage.&nbsp;These&nbsp;solutions&nbsp;differ&nbsp;from&nbsp;other&nbsp;st</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">larly,&nbsp;SaaS&nbsp;enterprise&nbsp;platforms&nbsp;such&nbsp;as&nbsp;Office&nbsp;365&nbsp;and&nbsp;Goog</span></td></tr>
@@ -835,13 +835,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)
 
 Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Google Workspace</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Office 365</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'SecureWorld - How Secure Is Your Slack Channel - Dec 2021', 'description': ' Drew Todd. (2021, December 28). How Secure Is Your Slack Channel?. Retrieved May 31, 2022.', 'url': 'https://www.secureworld.io/industry-news/how-secure-is-your-slack-channel#:~:text=Electronic%20Arts%20hacked%20through%20Slack%20channel&text=In%20total%2C%20the%20hackers%20claim,credentials%20over%20a%20Slack%20channel.'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'EA Hacked via Slack - June 2021', 'description': 'Anthony Spadafora. (2021, June 11). EA hack reportedly used stolen cookies and Slack to target gaming giant. Retrieved May 31, 2022.', 'url': 'https://www.techradar.com/news/ea-hack-reportedly-used-stolen-cookies-and-slack-to-hack-gaming-giant'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'HackerNews - 3 SaaS App Cyber Attacks - April 2022', 'description': 'Hananel Livneh. (2022, April 7). Into the Breach: Breaking Down 3 SaaS App Cyber Attacks in 2022. Retrieved May 31, 2022.', 'url': 'https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Dark Clouds_Usenix_Mulazzani_08_2011', 'description': 'Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl. (2011, August). Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. Retrieved July 14, 2022.', 'url': 'https://www.usenix.org/conference/usenix-security-11/dark-clouds-horizon-using-cloud-storage-attack-vector-and-online-slack'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T1039] Data from Network Shared Drive</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><p><b>New Detections</b>:</p><ul>  <li>DS0029: Network Traffic (Network Traffic Flow)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:35.611000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 21:06:07.690000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network Traffic: Network Traffic Flow</td></tr></tbody></table></details><hr><h4>[T1140] Deobfuscate/Decode Files or Information</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-21 12:21:06.026000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 19:28:18.334000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1098.005] Account Manipulation: Device Registration</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-20 18:14:17.197000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-03 17:38:39.065000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>kill_chain_phases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Arad Inbar, Fidelis Security</td></tr></tbody></table></details><hr><h4>[T1006] Direct Volume Access</h4><p><b>Current version</b>: 2.1</p><p><b>Version changed from</b>: 2.0 → 2.1</p>
-    <table class="diff" id="difflib_chg_to2__top"
+    <table class="diff" id="difflib_chg_to22__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to2__0"><a href="#difflib_chg_to2__top">t</a></td><td class="diff_header" id="from2_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td><td class="diff_next"><a href="#difflib_chg_to2__top">t</a></td><td class="diff_header" id="to2_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to22__0"><a href="#difflib_chg_to22__top">t</a></td><td class="diff_header" id="from22_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td><td class="diff_next"><a href="#difflib_chg_to22__top">t</a></td><td class="diff_header" id="to22_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td></tr>
@@ -860,13 +860,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
 
 Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'LOLBAS Esentutl', 'description': 'LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.', 'url': 'https://lolbas-project.github.io/lolbas/Binaries/Esentutl/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>File: File Creation</td></tr></tbody></table></details><hr><h4>[T1562.002] Impair Defenses: Disable Windows Event Logging</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><p><b>New Detections</b>:</p><ul>  <li>DS0024: Windows Registry (Windows Registry Key Modification)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-17 23:24:19.730000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-18 22:33:57.556000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Windows Registry: Windows Registry Key Modification</td></tr></tbody></table></details><hr><h4>[T1562.001] Impair Defenses: Disable or Modify Tools</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p>
-    <table class="diff" id="difflib_chg_to8__top"
+    <table class="diff" id="difflib_chg_to26__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to8__0"><a href="#difflib_chg_to8__top">t</a></td><td class="diff_header" id="from8_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;modify&nbsp;and/or&nbsp;disable&nbsp;security&nbsp;tools&nbsp;to&nbsp;avoi</td><td class="diff_next"><a href="#difflib_chg_to8__top">t</a></td><td class="diff_header" id="to8_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;modify&nbsp;and/or&nbsp;disable&nbsp;security&nbsp;tools&nbsp;to&nbsp;avoi</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to26__0"><a href="#difflib_chg_to26__top">t</a></td><td class="diff_header" id="from26_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;modify&nbsp;and/or&nbsp;disable&nbsp;security&nbsp;tools&nbsp;to&nbsp;avoi</td><td class="diff_next"><a href="#difflib_chg_to26__top">t</a></td><td class="diff_header" id="to26_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;modify&nbsp;and/or&nbsp;disable&nbsp;security&nbsp;tools&nbsp;to&nbsp;avoi</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">d&nbsp;possible&nbsp;detection&nbsp;of&nbsp;their&nbsp;malware/tools&nbsp;and&nbsp;activities.&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">d&nbsp;possible&nbsp;detection&nbsp;of&nbsp;their&nbsp;malware/tools&nbsp;and&nbsp;activities.&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">This&nbsp;may&nbsp;take&nbsp;many&nbsp;forms,&nbsp;such&nbsp;as&nbsp;killing&nbsp;security&nbsp;software&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">This&nbsp;may&nbsp;take&nbsp;many&nbsp;forms,&nbsp;such&nbsp;as&nbsp;killing&nbsp;security&nbsp;software&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">processes&nbsp;or&nbsp;services,&nbsp;modifying&nbsp;/&nbsp;deleting&nbsp;Registry&nbsp;keys&nbsp;or</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">processes&nbsp;or&nbsp;services,&nbsp;modifying&nbsp;/&nbsp;deleting&nbsp;Registry&nbsp;keys&nbsp;or</td></tr>
@@ -938,13 +938,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
 
 Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Analysis of FG-IR-22-369', 'description': ' Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.', 'url': 'https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation', 'description': 'ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.', 'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: Process Creation</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network</td></tr></tbody></table></details><hr><h4>[T1021.003] Remote Services: Distributed Component Object Model</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-03 18:58:54.034000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 20:21:55.610000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1136.002] Create Account: Domain Account</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Administrator']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-03-23 18:12:36.696000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 17:36:37.600000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1078.002] Valid Accounts: Domain Accounts</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-13 17:17:03.605000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 14:55:07.432000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[T1562.010] Impair Defenses: Downgrade Attack</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p>
-    <table class="diff" id="difflib_chg_to24__top"
+    <table class="diff" id="difflib_chg_to10__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to24__0"><a href="#difflib_chg_to24__top">t</a></td><td class="diff_header" id="from24_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;downgrade&nbsp;or&nbsp;use&nbsp;a&nbsp;version&nbsp;of&nbsp;system&nbsp;feature</span></td><td class="diff_next"><a href="#difflib_chg_to24__top">t</a></td><td class="diff_header" id="to24_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;downgrade&nbsp;or&nbsp;use&nbsp;a&nbsp;version&nbsp;of&nbsp;system&nbsp;feature</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to10__0"><a href="#difflib_chg_to10__top">t</a></td><td class="diff_header" id="from10_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;downgrade&nbsp;or&nbsp;use&nbsp;a&nbsp;version&nbsp;of&nbsp;system&nbsp;feature</span></td><td class="diff_next"><a href="#difflib_chg_to10__top">t</a></td><td class="diff_header" id="to10_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;downgrade&nbsp;or&nbsp;use&nbsp;a&nbsp;version&nbsp;of&nbsp;system&nbsp;feature</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">s&nbsp;that&nbsp;may&nbsp;be&nbsp;outdated,&nbsp;vulnerable,&nbsp;and/or&nbsp;does&nbsp;not&nbsp;support&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">s&nbsp;that&nbsp;may&nbsp;be&nbsp;outdated,&nbsp;vulnerable,&nbsp;and/or&nbsp;does&nbsp;not&nbsp;support&nbsp;</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">updated&nbsp;security&nbsp;controls&nbsp;such&nbsp;as&nbsp;logging.&nbsp;For&nbsp;example,&nbsp;[Pow</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">updated&nbsp;security&nbsp;controls.&nbsp;Downgrade&nbsp;attacks&nbsp;typically&nbsp;take&nbsp;</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">erShell](https://attack.mitre.org/techniques/T1059/001)&nbsp;vers</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">advantage&nbsp;of&nbsp;a&nbsp;system’s&nbsp;backward&nbsp;compatibility&nbsp;to&nbsp;force&nbsp;it&nbsp;i</span></td></tr>
@@ -983,13 +983,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Monitor for Windows event ID (EID) 400, specifically the <code>EngineVersion</code> field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)
 
 Monitor network data to detect cases where HTTP is used instead of HTTPS.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Crowdstrike Downgrade', 'description': 'Bart Lenaerts-Bergman. (2023, March 14). WHAT ARE DOWNGRADE ATTACKS?. Retrieved May 24, 2023.', 'url': 'https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Targeted SSL Stripping Attacks Are Real', 'description': 'Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.', 'url': 'https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Arad Inbar, Fidelis Security</td></tr></tbody></table></details><hr><h4>[T1559.002] Inter-Process Communication: Dynamic Data Exchange</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-02-22 13:22:30.191000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-15 18:57:21.881000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1055.001] Process Injection: Dynamic-link Library Injection</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-18 21:07:23.748000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 21:34:38.558000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1114] Email Collection</h4><p><b>Current version</b>: 2.5</p><p><b>Version changed from</b>: 2.4 → 2.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 20:46:04.871000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 21:06:03.098000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.4</td><td style='border: 1px solid black;border-collapse: collapse;'>2.5</td></tr></tbody></table></details><hr><h4>[T1564.008] Hide Artifacts: Email Hiding Rules</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 20:42:20.079000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 16:41:53.957000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1027.009] Obfuscated Files or Information: Embedded Payloads</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-21 14:40:48.074000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 21:14:57.263000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1011] Exfiltration Over Other Network Medium</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Mitigations</b>:</p><ul>  <li>M1042: Disable or Remove Feature or Program</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-03-08 21:02:16.115000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-11 16:06:10.376000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1567] Exfiltration Over Web Service</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><p><b>New Detections</b>:</p><ul>  <li>DS0015: Application Log (Application Log Content)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-19 21:28:34.699000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-05 15:00:36.471000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Application Log: Application Log Content</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Office 365</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>SaaS</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Google Workspace</td></tr></tbody></table></details><hr><h4>[T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-08-30 12:49:02.969000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-15 19:11:47.547000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1567.001] Exfiltration Over Web Service: Exfiltration to Code Repository</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-03-28 00:58:55.433000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-15 19:08:16.882000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1212] Exploitation for Credential Access</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p>
-    <table class="diff" id="difflib_chg_to38__top"
+    <table class="diff" id="difflib_chg_to32__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to38__0"><a href="#difflib_chg_to38__top">t</a></td><td class="diff_header" id="from38_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;exploit&nbsp;software&nbsp;vulnerabilities&nbsp;in&nbsp;an&nbsp;attem</span></td><td class="diff_next"><a href="#difflib_chg_to38__top">t</a></td><td class="diff_header" id="to38_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;exploit&nbsp;software&nbsp;vulnerabilities&nbsp;in&nbsp;an&nbsp;attem</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to32__0"><a href="#difflib_chg_to32__top">t</a></td><td class="diff_header" id="from32_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;exploit&nbsp;software&nbsp;vulnerabilities&nbsp;in&nbsp;an&nbsp;attem</span></td><td class="diff_next"><a href="#difflib_chg_to32__top">t</a></td><td class="diff_header" id="to32_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;exploit&nbsp;software&nbsp;vulnerabilities&nbsp;in&nbsp;an&nbsp;attem</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">pt&nbsp;to&nbsp;collect&nbsp;credentials.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vulner</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">pt&nbsp;to&nbsp;collect&nbsp;credentials.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vulner</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;progra</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;progra</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">mming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;s</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">mming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;s</span></td></tr>
@@ -1024,13 +1024,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)
 
 Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Bugcrowd Replay Attack', 'description': 'Bugcrowd. (n.d.). Replay Attack. Retrieved September 27, 2023.', 'url': 'https://www.bugcrowd.com/glossary/replay-attack/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Comparitech Replay Attack', 'description': 'Justin Schamotta. (2022, October 28). What is a replay attack?. Retrieved September 27, 2023.', 'url': 'https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Storm-0558 techniques for unauthorized email access', 'description': 'Microsoft Threat Intelligence. (2023, July 14). Analysis of Storm-0558 techniques for unauthorized email access. Retrieved September 18, 2023.', 'url': 'https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Microsoft Midnight Blizzard Replay Attack', 'description': 'Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023.', 'url': 'https://twitter.com/MsftSecIntel/status/1671579359994343425'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Mohit Rathore</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Azure AD</td></tr></tbody></table></details><hr><h4>[T1211] Exploitation for Defense Evasion</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p>
-    <table class="diff" id="difflib_chg_to35__top"
+    <table class="diff" id="difflib_chg_to0__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to35__0"><a href="#difflib_chg_to35__top">t</a></td><td class="diff_header" id="from35_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;exploit&nbsp;a&nbsp;system&nbsp;or&nbsp;application&nbsp;vulnerabilit</span></td><td class="diff_next"><a href="#difflib_chg_to35__top">t</a></td><td class="diff_header" id="to35_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;exploit&nbsp;a&nbsp;system&nbsp;or&nbsp;application&nbsp;vulnerabilit</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to0__0"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="from0_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;exploit&nbsp;a&nbsp;system&nbsp;or&nbsp;application&nbsp;vulnerabilit</span></td><td class="diff_next"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="to0_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;exploit&nbsp;a&nbsp;system&nbsp;or&nbsp;application&nbsp;vulnerabilit</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">y&nbsp;to&nbsp;bypass&nbsp;security&nbsp;features.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vu</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">y&nbsp;to&nbsp;bypass&nbsp;security&nbsp;features.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;vulnerabili</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">lnerability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;pr</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ty&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;programming</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ogramming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operati</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;system</span></td></tr>
@@ -1058,13 +1058,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.
 
 There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Salesforce zero-day in facebook phishing attack', 'description': 'Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.', 'url': 'https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Bypassing CloudTrail in AWS Service Catalog', 'description': 'Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.', 'url': 'https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'GhostToken GCP flaw', 'description': 'Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.', 'url': 'https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>SaaS</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>IaaS</td></tr></tbody></table></details><hr><h4>[T1071.002] Application Layer Protocol: File Transfer Protocols</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p>
-    <table class="diff" id="difflib_chg_to22__top"
+    <table class="diff" id="difflib_chg_to13__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to22__0"><a href="#difflib_chg_to22__top">t</a></td><td class="diff_header" id="from22_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;communicate&nbsp;using&nbsp;application&nbsp;layer&nbsp;protocol</td><td class="diff_next"><a href="#difflib_chg_to22__top">t</a></td><td class="diff_header" id="to22_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;communicate&nbsp;using&nbsp;application&nbsp;layer&nbsp;protocol</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to13__0"><a href="#difflib_chg_to13__top">t</a></td><td class="diff_header" id="from13_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;communicate&nbsp;using&nbsp;application&nbsp;layer&nbsp;protocol</td><td class="diff_next"><a href="#difflib_chg_to13__top">t</a></td><td class="diff_header" id="to13_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;communicate&nbsp;using&nbsp;application&nbsp;layer&nbsp;protocol</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;associated&nbsp;with&nbsp;transferring&nbsp;files&nbsp;to&nbsp;avoid&nbsp;detection/netw</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;associated&nbsp;with&nbsp;transferring&nbsp;files&nbsp;to&nbsp;avoid&nbsp;detection/netw</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ork&nbsp;filtering&nbsp;by&nbsp;blending&nbsp;in&nbsp;with&nbsp;existing&nbsp;traffic.&nbsp;Commands</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ork&nbsp;filtering&nbsp;by&nbsp;blending&nbsp;in&nbsp;with&nbsp;existing&nbsp;traffic.&nbsp;Commands</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;to&nbsp;the&nbsp;remote&nbsp;system,&nbsp;and&nbsp;often&nbsp;the&nbsp;results&nbsp;of&nbsp;those&nbsp;comman</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;to&nbsp;the&nbsp;remote&nbsp;system,&nbsp;and&nbsp;often&nbsp;the&nbsp;results&nbsp;of&nbsp;those&nbsp;comman</td></tr>
@@ -1083,13 +1083,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. </td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 
 
 Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. </td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1187] Forced Authentication</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-06-19 17:16:41.470000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 19:30:45.123000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1606] Forge Web Credentials</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p>
-    <table class="diff" id="difflib_chg_to18__top"
+    <table class="diff" id="difflib_chg_to35__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to18__0"><a href="#difflib_chg_to18__top">t</a></td><td class="diff_header" id="from18_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;forge&nbsp;credential&nbsp;materials&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to18__top">t</a></td><td class="diff_header" id="to18_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;forge&nbsp;credential&nbsp;materials&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to35__0"><a href="#difflib_chg_to35__top">t</a></td><td class="diff_header" id="from35_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;forge&nbsp;credential&nbsp;materials&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to35__top">t</a></td><td class="diff_header" id="to35_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;forge&nbsp;credential&nbsp;materials&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Internet&nbsp;services.&nbsp;Web</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Internet&nbsp;services.&nbsp;Web</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;applications&nbsp;and&nbsp;services&nbsp;(hosted&nbsp;in&nbsp;cloud&nbsp;SaaS&nbsp;environment</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;applications&nbsp;and&nbsp;services&nbsp;(hosted&nbsp;in&nbsp;cloud&nbsp;SaaS&nbsp;environment</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;or&nbsp;on-premise&nbsp;servers)&nbsp;often&nbsp;use&nbsp;session&nbsp;cookies,&nbsp;tokens,&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;or&nbsp;on-premise&nbsp;servers)&nbsp;often&nbsp;use&nbsp;session&nbsp;cookies,&nbsp;tokens,&nbsp;</td></tr>
@@ -1132,13 +1132,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)
 
 Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)  </td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Zimbra Preauth', 'description': 'Zimbra. (2023, March 16). Preauth. Retrieved May 31, 2023.', 'url': 'https://wiki.zimbra.com/wiki/Preauth'}</td></tr></tbody></table></details><hr><h4>[T1027.006] Obfuscated Files or Information: HTML Smuggling</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><p><b>New Mitigations</b>:</p><ul>  <li>M1048: Application Isolation and Sandboxing</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-05-19 16:29:47.637000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-14 14:01:41.475000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1562] Impair Defenses</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><p><b>New Mitigations</b>:</p><ul>  <li>M1054: Software Configuration</li></ul><p><b>New Detections</b>:</p><ul>  <li>DS0009: Process (OS API Execution)</li>  <li>DS0009: Process (Process Modification)</li>  <li>DS0022: File (File Deletion)</li>  <li>DS0022: File (File Modification)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-15 00:48:46.626000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-20 16:43:53.391000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[1]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don’t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payload</td><td style='border: 1px solid black;border-collapse: collapse;'>https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>File: File Modification</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: Process Modification</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>File: File Deletion</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: OS API Execution</td></tr></tbody></table></details><hr><h4>[T1562.006] Impair Defenses: Indicator Blocking</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 15:25:10.496000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-18 22:23:55.329000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1105] Ingress Tool Transfer</h4><p><b>Current version</b>: 2.3</p><p><b>Version changed from</b>: 2.2 → 2.3</p>
-    <table class="diff" id="difflib_chg_to7__top"
+    <table class="diff" id="difflib_chg_to1__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to7__0"><a href="#difflib_chg_to7__top">t</a></td><td class="diff_header" id="from7_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;from&nbsp;an&nbsp;extern</span></td><td class="diff_next"><a href="#difflib_chg_to7__top">t</a></td><td class="diff_header" id="to7_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;from&nbsp;an&nbsp;extern</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to1__0"><a href="#difflib_chg_to1__top">t</a></td><td class="diff_header" id="from1_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;from&nbsp;an&nbsp;extern</span></td><td class="diff_next"><a href="#difflib_chg_to1__top">t</a></td><td class="diff_header" id="to1_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;from&nbsp;an&nbsp;extern</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">al&nbsp;system&nbsp;into&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Tools&nbsp;or&nbsp;files&nbsp;may</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">al&nbsp;system&nbsp;into&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Tools&nbsp;or&nbsp;files&nbsp;may</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">&nbsp;be&nbsp;copied&nbsp;from&nbsp;an&nbsp;external&nbsp;adversary-controlled&nbsp;system&nbsp;to&nbsp;t</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;be&nbsp;copied&nbsp;from&nbsp;an&nbsp;external&nbsp;adversary-controlled&nbsp;system&nbsp;to&nbsp;t</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">he&nbsp;victim&nbsp;network&nbsp;through&nbsp;the&nbsp;command&nbsp;and&nbsp;control&nbsp;channel&nbsp;or</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">he&nbsp;victim&nbsp;network&nbsp;through&nbsp;the&nbsp;command&nbsp;and&nbsp;control&nbsp;channel&nbsp;or</span></td></tr>
@@ -1180,13 +1180,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.
 
 Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td><td style='border: 1px solid black;border-collapse: collapse;'>2.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Dropbox Malware Sync', 'description': 'David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.', 'url': 'https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Shailesh Tiwary (Indian Army)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>The DFIR Report</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Alain Homewood</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Command: Command Execution</td></tr></tbody></table></details><hr><h4>[T1490] Inhibit System Recovery</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-05-04 18:05:57.725000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-03 17:30:59.482000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Joey Lei</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Containers</td></tr></tbody></table></details><hr><h4>[T1553.004] Subvert Trust Controls: Install Root Certificate</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Administrator', 'User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:45.661000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-15 17:26:02.203000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1056.001] Input Capture: Keylogging</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p>
-    <table class="diff" id="difflib_chg_to9__top"
+    <table class="diff" id="difflib_chg_to27__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to9__0"><a href="#difflib_chg_to9__top">t</a></td><td class="diff_header" id="from9_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;log&nbsp;user&nbsp;keystrokes&nbsp;to&nbsp;intercept&nbsp;credentials</td><td class="diff_next"><a href="#difflib_chg_to9__top">t</a></td><td class="diff_header" id="to9_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;log&nbsp;user&nbsp;keystrokes&nbsp;to&nbsp;intercept&nbsp;credentials</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to27__0"><a href="#difflib_chg_to27__top">t</a></td><td class="diff_header" id="from27_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;log&nbsp;user&nbsp;keystrokes&nbsp;to&nbsp;intercept&nbsp;credentials</td><td class="diff_next"><a href="#difflib_chg_to27__top">t</a></td><td class="diff_header" id="to27_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;log&nbsp;user&nbsp;keystrokes&nbsp;to&nbsp;intercept&nbsp;credentials</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;as&nbsp;the&nbsp;user&nbsp;types&nbsp;them.&nbsp;Keylogging&nbsp;is&nbsp;likely&nbsp;to&nbsp;be&nbsp;used&nbsp;to&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;as&nbsp;the&nbsp;user&nbsp;types&nbsp;them.&nbsp;Keylogging&nbsp;is&nbsp;likely&nbsp;to&nbsp;be&nbsp;used&nbsp;to&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">acquire&nbsp;credentials&nbsp;for&nbsp;new&nbsp;access&nbsp;opportunities&nbsp;when&nbsp;[OS&nbsp;Cr</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">acquire&nbsp;credentials&nbsp;for&nbsp;new&nbsp;access&nbsp;opportunities&nbsp;when&nbsp;[OS&nbsp;Cr</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">edential&nbsp;Dumping](https://attack.mitre.org/techniques/T1003)</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">edential&nbsp;Dumping](https://attack.mitre.org/techniques/T1003)</td></tr>
@@ -1227,13 +1227,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 * Windows Registry modifications.
 * Custom drivers.
 * [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) </td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Talos Kimsuky Nov 2021', 'description': 'An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.', 'url': 'https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html'}</td></tr></tbody></table></details><hr><h4>[T1003.001] OS Credential Dumping: LSASS Memory</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><p><b>New Detections</b>:</p><ul>  <li>DS0024: Windows Registry (Windows Registry Key Modification)</li>  <li>DS0028: Logon Session (Logon Session Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-03 18:54:21.492000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-24 18:52:29.338000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Olaf Hartong, Falcon Force</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Windows Registry: Windows Registry Key Modification</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Logon Session: Logon Session Creation</td></tr></tbody></table></details><hr><h4>[T1570] Lateral Tool Transfer</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p>
-    <table class="diff" id="difflib_chg_to27__top"
+    <table class="diff" id="difflib_chg_to20__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to27__0"><a href="#difflib_chg_to27__top">t</a></td><td class="diff_header" id="from27_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;between&nbsp;system</td><td class="diff_next"><a href="#difflib_chg_to27__top">t</a></td><td class="diff_header" id="to27_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;between&nbsp;system</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to20__0"><a href="#difflib_chg_to20__top">t</a></td><td class="diff_header" id="from20_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;between&nbsp;system</td><td class="diff_next"><a href="#difflib_chg_to20__top">t</a></td><td class="diff_header" id="to20_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;between&nbsp;system</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;in&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Once&nbsp;brought&nbsp;into&nbsp;the&nbsp;victim</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;in&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Once&nbsp;brought&nbsp;into&nbsp;the&nbsp;victim</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;environment&nbsp;(i.e.&nbsp;[Ingress&nbsp;Tool&nbsp;Transfer](https://attack.mi</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;environment&nbsp;(i.e.<span class="diff_add">,</span>&nbsp;[Ingress&nbsp;Tool&nbsp;Transfer](https://attack.m</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">tre.org/techniques/T1105))&nbsp;files&nbsp;may&nbsp;then&nbsp;be&nbsp;copied&nbsp;from&nbsp;one</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">itre.org/techniques/T1105))&nbsp;files&nbsp;may&nbsp;then&nbsp;be&nbsp;copied&nbsp;from&nbsp;on</td></tr>
@@ -1261,13 +1261,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)
 
 Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Dropbox Malware Sync', 'description': 'David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.', 'url': 'https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/'}</td></tr></tbody></table></details><hr><h4>[T1222.002] File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User', 'root']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-09-13 21:08:09.985000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 17:54:22.970000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1136.001] Create Account: Local Account</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p>
-    <table class="diff" id="difflib_chg_to15__top"
+    <table class="diff" id="difflib_chg_to29__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to15__0"><a href="#difflib_chg_to15__top">t</a></td><td class="diff_header" id="from15_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;create&nbsp;a&nbsp;local&nbsp;account&nbsp;to&nbsp;maintain&nbsp;access&nbsp;to</td><td class="diff_next"><a href="#difflib_chg_to15__top">t</a></td><td class="diff_header" id="to15_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;create&nbsp;a&nbsp;local&nbsp;account&nbsp;to&nbsp;maintain&nbsp;access&nbsp;to</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to29__0"><a href="#difflib_chg_to29__top">t</a></td><td class="diff_header" id="from29_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;create&nbsp;a&nbsp;local&nbsp;account&nbsp;to&nbsp;maintain&nbsp;access&nbsp;to</td><td class="diff_next"><a href="#difflib_chg_to29__top">t</a></td><td class="diff_header" id="to29_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;create&nbsp;a&nbsp;local&nbsp;account&nbsp;to&nbsp;maintain&nbsp;access&nbsp;to</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;victim&nbsp;systems.&nbsp;Local&nbsp;accounts&nbsp;are&nbsp;those&nbsp;configured&nbsp;by&nbsp;an&nbsp;o</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;victim&nbsp;systems.&nbsp;Local&nbsp;accounts&nbsp;are&nbsp;those&nbsp;configured&nbsp;by&nbsp;an&nbsp;o</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rganization&nbsp;for&nbsp;use&nbsp;by&nbsp;users,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;f</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rganization&nbsp;for&nbsp;use&nbsp;by&nbsp;users,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;f</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">or&nbsp;administration&nbsp;on&nbsp;a&nbsp;single&nbsp;system&nbsp;or&nbsp;service.&nbsp;<span class="diff_chg">With&nbsp;a</span>&nbsp;suff</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">or&nbsp;administration&nbsp;on&nbsp;a&nbsp;single&nbsp;system&nbsp;or&nbsp;service.&nbsp;<span class="diff_chg">&nbsp;&nbsp;For&nbsp;examp</span></td></tr>
@@ -1291,13 +1291,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
 
 Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Kubernetes Service Accounts Security', 'description': 'Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.', 'url': 'https://kubernetes.io/docs/concepts/security/service-accounts/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Containers</td></tr></tbody></table></details><hr><h4>[T1078.003] Valid Accounts: Local Accounts</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-13 17:17:49.889000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-14 13:04:04.591000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network</td></tr></tbody></table></details><hr><h4>[T1127.001] Trusted Developer Utilities Proxy Execution: MSBuild</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-10-15 23:57:07.973000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 19:23:58.317000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1036.004] Masquerading: Masquerade Task or Service</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User', 'Administrator', 'SYSTEM']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-10-18 13:24:52.618000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 20:30:58.300000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1036] Masquerading</h4><p><b>Current version</b>: 1.6</p><p><b>Version changed from</b>: 1.5 → 1.6</p>
-    <table class="diff" id="difflib_chg_to20__top"
+    <table class="diff" id="difflib_chg_to38__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to20__0"><a href="#difflib_chg_to20__top">t</a></td><td class="diff_header" id="from20_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;manipulate&nbsp;features&nbsp;of&nbsp;their&nbsp;arti</td><td class="diff_next"><a href="#difflib_chg_to20__top">t</a></td><td class="diff_header" id="to20_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;manipulate&nbsp;features&nbsp;of&nbsp;their&nbsp;arti</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to38__0"><a href="#difflib_chg_to38__top">t</a></td><td class="diff_header" id="from38_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;manipulate&nbsp;features&nbsp;of&nbsp;their&nbsp;arti</td><td class="diff_next"><a href="#difflib_chg_to38__top">t</a></td><td class="diff_header" id="to38_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;manipulate&nbsp;features&nbsp;of&nbsp;their&nbsp;arti</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">facts&nbsp;to&nbsp;make&nbsp;them&nbsp;appear&nbsp;legitimate&nbsp;or&nbsp;benign&nbsp;to&nbsp;users&nbsp;and/</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">facts&nbsp;to&nbsp;make&nbsp;them&nbsp;appear&nbsp;legitimate&nbsp;or&nbsp;benign&nbsp;to&nbsp;users&nbsp;and/</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">or&nbsp;security&nbsp;tools.&nbsp;Masquerading&nbsp;occurs&nbsp;when&nbsp;the&nbsp;name&nbsp;or&nbsp;loca</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">or&nbsp;security&nbsp;tools.&nbsp;Masquerading&nbsp;occurs&nbsp;when&nbsp;the&nbsp;name&nbsp;or&nbsp;loca</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">tion&nbsp;of&nbsp;an&nbsp;object,&nbsp;legitimate&nbsp;or&nbsp;malicious,&nbsp;is&nbsp;manipulated&nbsp;o</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">tion&nbsp;of&nbsp;an&nbsp;object,&nbsp;legitimate&nbsp;or&nbsp;malicious,&nbsp;is&nbsp;manipulated&nbsp;o</td></tr>
@@ -1318,13 +1318,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
 
 Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[2]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.elastic.co/blog/how-hunt-masquerade-ball</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td><td style='border: 1px solid black;border-collapse: collapse;'>1.6</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Goldstein Menachem</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: Process Creation</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: OS API Execution</td></tr></tbody></table></details><hr><h4>[T1036.005] Masquerading: Match Legitimate Name or Location</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0009: Process (Process Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:42.277000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-14 21:12:48.409000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[3]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.elastic.co/blog/how-hunt-masquerade-ball</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: Process Creation</td></tr></tbody></table></details><hr><h4>[T1578] Modify Cloud Compute Infrastructure</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0025: Cloud Service (Cloud Service Metadata)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-04-20 14:51:01.759000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-05 20:45:22.041000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Cloud Service: Cloud Service Metadata</td></tr></tbody></table></details><hr><h4>[T1112] Modify Registry</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><p><b>New Detections</b>:</p><ul>  <li>DS0029: Network Traffic (Network Traffic Flow)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-21 12:19:38.962000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 19:19:54.148000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network Traffic: Network Traffic Flow</td></tr></tbody></table></details><hr><h4>[T1556.006] Modify Authentication Process: Multi-Factor Authentication</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-02-09 14:18:59.080000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 16:47:26.119000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[2]['description']</td><td style='border: 1px solid black;border-collapse: collapse;'>Manidant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.</td><td style='border: 1px solid black;border-collapse: collapse;'>Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1003.003] OS Credential Dumping: NTDS</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Administrator']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-03-08 21:00:52.774000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-28 14:41:38.908000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1106] Native API</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p>
-    <table class="diff" id="difflib_chg_to30__top"
+    <table class="diff" id="difflib_chg_to2__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to30__0"><a href="#difflib_chg_to30__top">t</a></td><td class="diff_header" id="from30_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;interact&nbsp;with&nbsp;the&nbsp;native&nbsp;OS&nbsp;application&nbsp;prog</span></td><td class="diff_next"><a href="#difflib_chg_to30__top">t</a></td><td class="diff_header" id="to30_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;interact&nbsp;with&nbsp;the&nbsp;native&nbsp;OS&nbsp;application&nbsp;prog</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to2__0"><a href="#difflib_chg_to2__top">t</a></td><td class="diff_header" id="from2_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;interact&nbsp;with&nbsp;the&nbsp;native&nbsp;OS&nbsp;application&nbsp;prog</span></td><td class="diff_next"><a href="#difflib_chg_to2__top">t</a></td><td class="diff_header" id="to2_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;interact&nbsp;with&nbsp;the&nbsp;native&nbsp;OS&nbsp;application&nbsp;prog</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ramming&nbsp;interface&nbsp;(API)&nbsp;to&nbsp;execute&nbsp;behaviors.&nbsp;Native&nbsp;APIs&nbsp;pr</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ramming&nbsp;interface&nbsp;(API)&nbsp;to&nbsp;execute&nbsp;behaviors.&nbsp;Native&nbsp;APIs&nbsp;pr</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ovide&nbsp;a&nbsp;controlled&nbsp;means&nbsp;of&nbsp;calling&nbsp;low-level&nbsp;OS&nbsp;services&nbsp;wi</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ovide&nbsp;a&nbsp;controlled&nbsp;means&nbsp;of&nbsp;calling&nbsp;low-level&nbsp;OS&nbsp;services&nbsp;wi</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">thin&nbsp;the&nbsp;kernel,&nbsp;such&nbsp;as&nbsp;those&nbsp;involving&nbsp;hardware/devices,&nbsp;m</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">thin&nbsp;the&nbsp;kernel,&nbsp;such&nbsp;as&nbsp;those&nbsp;involving&nbsp;hardware/devices,&nbsp;m</span></td></tr>
@@ -1380,13 +1380,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
 
 Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Redops Syscalls', 'description': 'Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.', 'url': 'https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Tristan Madani (Cybereason)</td></tr></tbody></table></details><hr><h4>[T1046] Network Service Discovery</h4><p><b>Current version</b>: 3.1</p><p><b>Version changed from</b>: 3.0 → 3.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:43.682000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 21:10:09.547000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td></tr></tbody></table></details><hr><h4>[T1135] Network Share Discovery</h4><p><b>Current version</b>: 3.2</p><p><b>Version changed from</b>: 3.1 → 3.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:46.370000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 19:44:43.870000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2</td></tr></tbody></table></details><hr><h4>[T1040] Network Sniffing</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><p><b>New Mitigations</b>:</p><ul>  <li>M1030: Network Segmentation</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 23:31:49.085000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-10 15:48:01.560000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Itamar Mizrahi, Cymptom</td></tr></tbody></table></details><hr><h4>[T1095] Non-Application Layer Protocol</h4><p><b>Current version</b>: 2.3</p><p><b>Version changed from</b>: 2.2 → 2.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-20 19:11:53.499000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 21:07:31.570000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td><td style='border: 1px solid black;border-collapse: collapse;'>2.3</td></tr></tbody></table></details><hr><h4>[T1027] Obfuscated Files or Information</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><p><b>New Mitigations</b>:</p><ul>  <li>M1017: User Training</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:43.857000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-28 19:17:53.015000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[T1550.002] Use Alternate Authentication Material: Pass the Hash</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:45.141000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-28 18:24:16.246000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1110.001] Brute Force: Password Guessing</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-14 23:04:08.394000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 16:57:41.743000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[T1110.003] Brute Force: Password Spraying</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-14 23:04:38.816000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-16 16:55:18.014000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p>
-    <table class="diff" id="difflib_chg_to14__top"
+    <table class="diff" id="difflib_chg_to4__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to14__0"><a href="#difflib_chg_to14__top">t</a></td><td class="diff_header" id="from14_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</span></td><td class="diff_next"><a href="#difflib_chg_to14__top">t</a></td><td class="diff_header" id="to14_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to4__0"><a href="#difflib_chg_to4__top">t</a></td><td class="diff_header" id="from4_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</span></td><td class="diff_next"><a href="#difflib_chg_to4__top">t</a></td><td class="diff_header" id="to4_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">cking&nbsp;environment&nbsp;variables&nbsp;used&nbsp;to&nbsp;load&nbsp;libraries.&nbsp;Adversar</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">cking&nbsp;environment&nbsp;variables&nbsp;used&nbsp;to&nbsp;load&nbsp;libraries.&nbsp;The&nbsp;PATH</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ies&nbsp;may&nbsp;place&nbsp;a&nbsp;program&nbsp;in&nbsp;an&nbsp;earlier&nbsp;entry&nbsp;in&nbsp;the&nbsp;list&nbsp;of&nbsp;d</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;environment&nbsp;variable&nbsp;contains&nbsp;a&nbsp;list&nbsp;of&nbsp;directories&nbsp;(User&nbsp;a</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">irectories&nbsp;stored&nbsp;in&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable,&nbsp;which&nbsp;Wi</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">nd&nbsp;System)&nbsp;that&nbsp;the&nbsp;OS&nbsp;searches&nbsp;sequentially&nbsp;through&nbsp;in&nbsp;sear</span></td></tr>
@@ -1432,13 +1432,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 For example, on Windows if an adversary places a malicious program named "net.exe" in `C:\example path`, which by default precedes `C:\Windows\system32\net.exe` in the PATH environment variable, when "net" is executed from the command-line the `C:\example path` will be called instead of the system's legitimate executable at `C:\Windows\system32\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)
 
 Adversaries may also directly modify the $PATH variable specifying the directories to be searched.  An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Elastic Rules macOS launchctl 2022', 'description': 'Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.', 'url': 'https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'ExpressVPN PATH env Windows 2021', 'description': 'ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.', 'url': 'https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'uptycs Fake POC linux malware 2023', 'description': 'Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.', 'url': 'https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'nixCraft macOS PATH variables', 'description': 'Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable Command. Retrieved September 28, 2023.', 'url': 'https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>macOS</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Linux</td></tr></tbody></table></details><hr><h4>[T1566] Phishing</h4><p><b>Current version</b>: 2.4</p><p><b>Version changed from</b>: 2.3 → 2.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-14 17:42:15.871000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-08 20:27:52.947000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.3</td><td style='border: 1px solid black;border-collapse: collapse;'>2.4</td></tr></tbody></table></details><hr><h4>[T1598] Phishing for Information</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-14 17:42:38.063000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-08 20:28:49.600000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1547.012] Boot or Logon Autostart Execution: Print Processors</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p>
-    <table class="diff" id="difflib_chg_to10__top"
+    <table class="diff" id="difflib_chg_to12__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to10__0"><a href="#difflib_chg_to10__top">t</a></td><td class="diff_header" id="from10_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;abuse&nbsp;print&nbsp;processors&nbsp;to&nbsp;run&nbsp;malicious&nbsp;DLLs</td><td class="diff_next"><a href="#difflib_chg_to10__top">t</a></td><td class="diff_header" id="to10_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;abuse&nbsp;print&nbsp;processors&nbsp;to&nbsp;run&nbsp;malicious&nbsp;DLLs</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to12__0"><a href="#difflib_chg_to12__top">t</a></td><td class="diff_header" id="from12_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;abuse&nbsp;print&nbsp;processors&nbsp;to&nbsp;run&nbsp;malicious&nbsp;DLLs</td><td class="diff_next"><a href="#difflib_chg_to12__top">t</a></td><td class="diff_header" id="to12_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;abuse&nbsp;print&nbsp;processors&nbsp;to&nbsp;run&nbsp;malicious&nbsp;DLLs</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;during&nbsp;system&nbsp;boot&nbsp;for&nbsp;persistence&nbsp;and/or&nbsp;privilege&nbsp;escalat</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;during&nbsp;system&nbsp;boot&nbsp;for&nbsp;persistence&nbsp;and/or&nbsp;privilege&nbsp;escalat</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ion.&nbsp;Print&nbsp;processors&nbsp;are&nbsp;DLLs&nbsp;that&nbsp;are&nbsp;loaded&nbsp;by&nbsp;the&nbsp;print&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ion.&nbsp;Print&nbsp;processors&nbsp;are&nbsp;DLLs&nbsp;that&nbsp;are&nbsp;loaded&nbsp;by&nbsp;the&nbsp;print&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">spooler&nbsp;service,&nbsp;spoolsv.exe,&nbsp;during&nbsp;boot.<span class="diff_chg">&nbsp;</span>&nbsp;&nbsp;Adversaries&nbsp;may</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">spooler&nbsp;service,&nbsp;<span class="diff_add">`</span>spoolsv.exe<span class="diff_add">`</span>,&nbsp;during&nbsp;boot.<span class="diff_chg">(Citation:&nbsp;Micro</span></td></tr>
@@ -1473,13 +1473,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)
 
 The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Microsoft Intro Print Processors', 'description': 'Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.', 'url': 'https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Tahseen Bin Taj</td></tr></tbody></table></details><hr><h4>[T1057] Process Discovery</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 23:34:02.125000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 21:40:56.448000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[T1055.012] Process Injection: Process Hollowing</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><p><b>New Detections</b>:</p><ul>  <li>DS0009: Process (Process Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-11-29 17:22:32.704000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 21:37:00.009000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: Process Creation</td></tr></tbody></table></details><hr><h4>[T1563.002] Remote Service Session Hijacking: RDP Hijacking</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['SYSTEM']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-03-23 23:24:39.182000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 15:37:02.771000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1620] Reflective Code Loading</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-21 16:21:09.679000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 21:09:49.267000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1219] Remote Access Software</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p>
-    <table class="diff" id="difflib_chg_to23__top"
+    <table class="diff" id="difflib_chg_to33__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to23__0"><a href="#difflib_chg_to23__top">t</a></td><td class="diff_header" id="from23_1">1</td><td nowrap="nowrap"><span class="diff_sub">An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;legitimate&nbsp;desktop&nbsp;support&nbsp;and&nbsp;remote&nbsp;a</span></td><td class="diff_next"><a href="#difflib_chg_to23__top">t</a></td><td class="diff_header" id="to23_1">1</td><td nowrap="nowrap"><span class="diff_add">An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;legitimate&nbsp;desktop&nbsp;support&nbsp;and&nbsp;remote&nbsp;a</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to33__0"><a href="#difflib_chg_to33__top">t</a></td><td class="diff_header" id="from33_1">1</td><td nowrap="nowrap"><span class="diff_sub">An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;legitimate&nbsp;desktop&nbsp;support&nbsp;and&nbsp;remote&nbsp;a</span></td><td class="diff_next"><a href="#difflib_chg_to33__top">t</a></td><td class="diff_header" id="to33_1">1</td><td nowrap="nowrap"><span class="diff_add">An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;legitimate&nbsp;desktop&nbsp;support&nbsp;and&nbsp;remote&nbsp;a</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ccess&nbsp;software,&nbsp;such&nbsp;as&nbsp;Team&nbsp;Viewer,&nbsp;AnyDesk,&nbsp;Go2Assist,&nbsp;Log</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ccess&nbsp;software&nbsp;to&nbsp;establish&nbsp;an&nbsp;interactive&nbsp;command&nbsp;and&nbsp;contr</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">Mein,&nbsp;AmmyyAdmin,&nbsp;etc,&nbsp;to&nbsp;establish&nbsp;an&nbsp;interactive&nbsp;command&nbsp;a</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ol&nbsp;channel&nbsp;to&nbsp;target&nbsp;systems&nbsp;within&nbsp;networks.&nbsp;These&nbsp;services</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">nd&nbsp;control&nbsp;channel&nbsp;to&nbsp;target&nbsp;systems&nbsp;within&nbsp;networks.&nbsp;These&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">,&nbsp;such&nbsp;as&nbsp;`VNC`,&nbsp;`Team&nbsp;Viewer`,&nbsp;`AnyDesk`,&nbsp;`ScreenConnect`,&nbsp;</span></td></tr>
@@ -1514,13 +1514,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.
 
 Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details><hr><h4>[T1021.001] Remote Services: Remote Desktop Protocol</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0028: Logon Session (Logon Session Metadata)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Remote Desktop Users', 'User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:41.927000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-07 14:23:30.265000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Logon Session: Logon Session Metadata</td></tr></tbody></table></details><hr><h4>[T1114.002] Email Collection: Remote Email Collection</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0015: Application Log (Application Log Content)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-03-25 13:12:56.909000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-05-31 12:34:03.420000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Application Log: Application Log Content</td></tr></tbody></table></details><hr><h4>[T1021] Remote Services</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><p><b>New Mitigations</b>:</p><ul>  <li>M1042: Disable or Remove Feature or Program</li></ul><p><b>New Detections</b>:</p><ul>  <li>DS0005: WMI (WMI Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:42.821000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-06-02 15:31:40.498000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>WMI: WMI Creation</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>IaaS</td></tr></tbody></table></details><hr><h4>[T1018] Remote System Discovery</h4><p><b>Current version</b>: 3.5</p><p><b>Version changed from</b>: 3.4 → 3.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:50.033000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 19:08:59.741000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.4</td><td style='border: 1px solid black;border-collapse: collapse;'>3.5</td></tr></tbody></table></details><hr><h4>[T1496] Resource Hijacking</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p>
-    <table class="diff" id="difflib_chg_to31__top"
+    <table class="diff" id="difflib_chg_to3__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to31__0"><a href="#difflib_chg_to31__top">t</a></td><td class="diff_header" id="from31_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;leverage&nbsp;the&nbsp;resources&nbsp;of&nbsp;co-opted&nbsp;systems&nbsp;i</span></td><td class="diff_next"><a href="#difflib_chg_to31__top">t</a></td><td class="diff_header" id="to31_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;leverage&nbsp;the&nbsp;resources&nbsp;of&nbsp;co-opted&nbsp;systems&nbsp;t</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to3__0"><a href="#difflib_chg_to3__top">t</a></td><td class="diff_header" id="from3_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;leverage&nbsp;the&nbsp;resources&nbsp;of&nbsp;co-opted&nbsp;systems&nbsp;i</span></td><td class="diff_next"><a href="#difflib_chg_to3__top">t</a></td><td class="diff_header" id="to3_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;leverage&nbsp;the&nbsp;resources&nbsp;of&nbsp;co-opted&nbsp;systems&nbsp;t</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">n&nbsp;order&nbsp;to&nbsp;solve&nbsp;resource&nbsp;intensive&nbsp;problems,&nbsp;which&nbsp;may&nbsp;impa</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">o&nbsp;complete&nbsp;resource-intensive&nbsp;tasks,&nbsp;which&nbsp;may&nbsp;impact&nbsp;system</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ct&nbsp;system&nbsp;and/or&nbsp;hosted&nbsp;service&nbsp;availability.&nbsp;&nbsp;&nbsp;One&nbsp;common&nbsp;p</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;and/or&nbsp;hosted&nbsp;service&nbsp;availability.&nbsp;&nbsp;&nbsp;One&nbsp;common&nbsp;purpose&nbsp;fo</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">urpose&nbsp;for&nbsp;Resource&nbsp;Hijacking&nbsp;is&nbsp;to&nbsp;validate&nbsp;transactions&nbsp;of</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">r&nbsp;Resource&nbsp;Hijacking&nbsp;is&nbsp;to&nbsp;validate&nbsp;transactions&nbsp;of&nbsp;cryptocu</span></td></tr>
@@ -1562,13 +1562,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)
 
 Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Sysdig Proxyjacking', 'description': 'Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.', 'url': 'https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Goldstein Menachem</td></tr></tbody></table></details><hr><h4>[T1218.011] System Binary Proxy Execution: Rundll32</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-21 12:25:32.096000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 15:35:28.965000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details><hr><h4>[T1021.002] Remote Services: SMB/Windows Admin Shares</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0009: Process (Process Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-03 18:57:59.554000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-28 17:34:51.250000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Process: Process Creation</td></tr></tbody></table></details><hr><h4>[T1021.004] Remote Services: SSH</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:49.323000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 20:24:03.069000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1098.004] Account Manipulation: SSH Authorized Keys</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p>
-    <table class="diff" id="difflib_chg_to28__top"
+    <table class="diff" id="difflib_chg_to19__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to28__0"><a href="#difflib_chg_to28__top">t</a></td><td class="diff_header" id="from28_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;modify&nbsp;the&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to28__top">t</a></td><td class="diff_header" id="to28_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;modify&nbsp;the&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to19__0"><a href="#difflib_chg_to19__top">t</a></td><td class="diff_header" id="from19_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;modify&nbsp;the&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to19__top">t</a></td><td class="diff_header" id="to19_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;modify&nbsp;the&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">file&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;on&nbsp;a&nbsp;victim&nbsp;host.&nbsp;Linux&nbsp;distrib</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">file&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;on&nbsp;a&nbsp;victim&nbsp;host.&nbsp;Linux&nbsp;distrib</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">utions&nbsp;and&nbsp;macOS&nbsp;commonly&nbsp;use&nbsp;key-based&nbsp;authentication&nbsp;to&nbsp;se</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">utions&nbsp;and&nbsp;macOS&nbsp;commonly&nbsp;use&nbsp;key-based&nbsp;authentication&nbsp;to&nbsp;se</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">cure&nbsp;the&nbsp;authentication&nbsp;process&nbsp;of&nbsp;SSH&nbsp;sessions&nbsp;for&nbsp;remote&nbsp;m</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">cure&nbsp;the&nbsp;authentication&nbsp;process&nbsp;of&nbsp;SSH&nbsp;sessions&nbsp;for&nbsp;remote&nbsp;m</td></tr>
@@ -1620,13 +1620,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. 
 
 SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>kill_chain_phases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'kill_chain_name': 'mitre-attack', 'phase_name': 'privilege-escalation'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Arad Inbar, Fidelis Security</td></tr></tbody></table></details><hr><h4>[T1053.005] Scheduled Task/Job: Scheduled Task</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><p><b>New Detections</b>:</p><ul>  <li>DS0022: File (File Creation)</li>  <li>DS0029: Network Traffic (Network Traffic Flow)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-07 17:11:17.807000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 21:20:10.882000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[1]['description']</td><td style='border: 1px solid black;border-collapse: collapse;'>BlackB0lt. (2022, April 15). https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml. Retrieved June 1, 2022.</td><td style='border: 1px solid black;border-collapse: collapse;'>Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[1]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml</td><td style='border: 1px solid black;border-collapse: collapse;'>https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>File: File Creation</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network Traffic: Network Traffic Flow</td></tr></tbody></table></details><hr><h4>[T1546.002] Event Triggered Execution: Screensaver</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-21 12:31:54.177000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-28 18:17:34.185000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1003.002] OS Credential Dumping: Security Account Manager</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><p><b>New Detections</b>:</p><ul>  <li>DS0022: File (File Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-06-15 16:17:19.049000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-24 18:53:10.860000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Olaf Hartong, Falcon Force</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>File: File Creation</td></tr></tbody></table></details><hr><h4>[T1569.002] System Services: Service Execution</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0029: Network Traffic (Network Traffic Flow)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Administrator', 'SYSTEM']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-08-30 17:42:40.945000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 15:53:00.999000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network Traffic: Network Traffic Flow</td></tr></tbody></table></details><hr><h4>[T1129] Shared Modules</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p>
-    <table class="diff" id="difflib_chg_to39__top"
+    <table class="diff" id="difflib_chg_to23__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to39__0"><a href="#difflib_chg_to39__top">t</a></td><td class="diff_header" id="from39_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;via&nbsp;loading&nbsp;share</span></td><td class="diff_next"><a href="#difflib_chg_to39__top">t</a></td><td class="diff_header" id="to39_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;via&nbsp;loading&nbsp;share</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to23__0"><a href="#difflib_chg_to23__top">t</a></td><td class="diff_header" id="from23_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;via&nbsp;loading&nbsp;share</span></td><td class="diff_next"><a href="#difflib_chg_to23__top">t</a></td><td class="diff_header" id="to23_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;via&nbsp;loading&nbsp;share</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">d&nbsp;modules.&nbsp;The&nbsp;Windows&nbsp;module&nbsp;loader&nbsp;can&nbsp;be&nbsp;instructed&nbsp;to&nbsp;lo</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">d&nbsp;modules.&nbsp;Shared&nbsp;modules&nbsp;are&nbsp;executable&nbsp;files&nbsp;that&nbsp;are&nbsp;load</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ad&nbsp;DLLs&nbsp;from&nbsp;arbitrary&nbsp;local&nbsp;paths&nbsp;and&nbsp;arbitrary&nbsp;Universal&nbsp;N</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ed&nbsp;into&nbsp;processes&nbsp;to&nbsp;provide&nbsp;access&nbsp;to&nbsp;reusable&nbsp;code,&nbsp;such&nbsp;a</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">aming&nbsp;Convention&nbsp;(UNC)&nbsp;network&nbsp;paths.&nbsp;This&nbsp;functionality&nbsp;res</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">s&nbsp;specific&nbsp;custom&nbsp;functions&nbsp;or&nbsp;invoking&nbsp;OS&nbsp;API&nbsp;functions&nbsp;(i.</span></td></tr>
@@ -1674,13 +1674,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.</td><td style='border: 1px solid black;border-collapse: collapse;'>Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. 
 
 Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Apple Dev Dynamic Libraries', 'description': 'Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.', 'url': 'https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Unit42 OceanLotus 2017', 'description': 'Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.', 'url': 'https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Microsoft DLL', 'description': 'Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.', 'url': 'https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Linux Shared Libraries', 'description': 'Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.', 'url': 'https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>macOS</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Linux</td></tr></tbody></table></details><hr><h4>[T1072] Software Deployment Tools</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p>
-    <table class="diff" id="difflib_chg_to19__top"
+    <table class="diff" id="difflib_chg_to18__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to19__0"><a href="#difflib_chg_to19__top">t</a></td><td class="diff_header" id="from19_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;gain&nbsp;access&nbsp;to&nbsp;and&nbsp;use&nbsp;third-party&nbsp;software&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to19__top">t</a></td><td class="diff_header" id="to19_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;gain&nbsp;access&nbsp;to&nbsp;and&nbsp;use&nbsp;third-party&nbsp;software&nbsp;</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to18__0"><a href="#difflib_chg_to18__top">t</a></td><td class="diff_header" id="from18_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;gain&nbsp;access&nbsp;to&nbsp;and&nbsp;use&nbsp;third-party&nbsp;software&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to18__top">t</a></td><td class="diff_header" id="to18_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;gain&nbsp;access&nbsp;to&nbsp;and&nbsp;use&nbsp;third-party&nbsp;software&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">suites&nbsp;installed&nbsp;within&nbsp;an&nbsp;enterprise&nbsp;network,&nbsp;such&nbsp;as&nbsp;admin</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">suites&nbsp;installed&nbsp;within&nbsp;an&nbsp;enterprise&nbsp;network,&nbsp;such&nbsp;as&nbsp;admin</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">istration,&nbsp;monitoring,&nbsp;and&nbsp;deployment&nbsp;systems,&nbsp;to&nbsp;move&nbsp;later</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">istration,&nbsp;monitoring,&nbsp;and&nbsp;deployment&nbsp;systems,&nbsp;to&nbsp;move&nbsp;later</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ally&nbsp;through&nbsp;the&nbsp;network.&nbsp;Third-party&nbsp;applications&nbsp;and&nbsp;softw</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ally&nbsp;through&nbsp;the&nbsp;network.&nbsp;Third-party&nbsp;applications&nbsp;and&nbsp;softw</td></tr>
@@ -1710,71 +1710,14 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 
 Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)
 
-The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation', 'description': 'ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.', 'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Gumke, U.S. Bank</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network</td></tr></tbody></table></details><hr><h4>[T1566.002] Phishing: Spearphishing Link</h4><p><b>Current version</b>: 2.5</p><p><b>Version changed from</b>: 2.4 → 2.5</p>
-    <table class="diff" id="difflib_chg_to21__top"
-           cellspacing="0" cellpadding="0" rules="groups" >
-        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
-        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
-        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
-        <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to21__0"><a href="#difflib_chg_to21__top">t</a></td><td class="diff_header" id="from21_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;emails&nbsp;with&nbsp;a&nbsp;malicious&nbsp;l</td><td class="diff_next"><a href="#difflib_chg_to21__top">t</a></td><td class="diff_header" id="to21_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;emails&nbsp;with&nbsp;a&nbsp;malicious&nbsp;l</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ink&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;victim&nbsp;systems.&nbsp;Spearphi</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ink&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;victim&nbsp;systems.&nbsp;Spearphi</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">shing&nbsp;with&nbsp;a&nbsp;link&nbsp;is&nbsp;a&nbsp;specific&nbsp;variant&nbsp;of&nbsp;spearphishing.&nbsp;It</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">shing&nbsp;with&nbsp;a&nbsp;link&nbsp;is&nbsp;a&nbsp;specific&nbsp;variant&nbsp;of&nbsp;spearphishing.&nbsp;It</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;is&nbsp;different&nbsp;from&nbsp;other&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;in&nbsp;that&nbsp;it&nbsp;e</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;is&nbsp;different&nbsp;from&nbsp;other&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;in&nbsp;that&nbsp;it&nbsp;e</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">mploys&nbsp;the&nbsp;use&nbsp;of&nbsp;links&nbsp;to&nbsp;download&nbsp;malware&nbsp;contained&nbsp;in&nbsp;ema</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">mploys&nbsp;the&nbsp;use&nbsp;of&nbsp;links&nbsp;to&nbsp;download&nbsp;malware&nbsp;contained&nbsp;in&nbsp;ema</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">il,&nbsp;instead&nbsp;of&nbsp;attaching&nbsp;malicious&nbsp;files&nbsp;to&nbsp;the&nbsp;email&nbsp;itself</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">il,&nbsp;instead&nbsp;of&nbsp;attaching&nbsp;malicious&nbsp;files&nbsp;to&nbsp;the&nbsp;email&nbsp;itself</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">,&nbsp;to&nbsp;avoid&nbsp;defenses&nbsp;that&nbsp;may&nbsp;inspect&nbsp;email&nbsp;attachments.&nbsp;Spea</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">,&nbsp;to&nbsp;avoid&nbsp;defenses&nbsp;that&nbsp;may&nbsp;inspect&nbsp;email&nbsp;attachments.&nbsp;Spea</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rphishing&nbsp;may&nbsp;also&nbsp;involve&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;su</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rphishing&nbsp;may&nbsp;also&nbsp;involve&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;su</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;trusted&nbsp;source.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishin</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;trusted&nbsp;source.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishin</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">g&nbsp;are&nbsp;electronically&nbsp;delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;a</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">g&nbsp;are&nbsp;electronically&nbsp;delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;a</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">t&nbsp;a&nbsp;specific&nbsp;individual,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;case,</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">t&nbsp;a&nbsp;specific&nbsp;individual,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;case,</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;the&nbsp;malicious&nbsp;emails&nbsp;contain&nbsp;links.&nbsp;Generally,&nbsp;the&nbsp;links&nbsp;wi</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;the&nbsp;malicious&nbsp;emails&nbsp;contain&nbsp;links.&nbsp;Generally,&nbsp;the&nbsp;links&nbsp;wi</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ll&nbsp;be&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineering&nbsp;text&nbsp;and&nbsp;require&nbsp;the</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ll&nbsp;be&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineering&nbsp;text&nbsp;and&nbsp;require&nbsp;the</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;brows</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;brows</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">er,&nbsp;leveraging&nbsp;[User&nbsp;Execution](https://attack.mitre.org/tec</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">er,&nbsp;leveraging&nbsp;[User&nbsp;Execution](https://attack.mitre.org/tec</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">hniques/T1204).&nbsp;The&nbsp;visited&nbsp;website&nbsp;may&nbsp;compromise&nbsp;the&nbsp;web&nbsp;b</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">hniques/T1204).&nbsp;The&nbsp;visited&nbsp;website&nbsp;may&nbsp;compromise&nbsp;the&nbsp;web&nbsp;b</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rowser&nbsp;using&nbsp;an&nbsp;exploit,&nbsp;or&nbsp;the&nbsp;user&nbsp;will&nbsp;be&nbsp;prompted&nbsp;to&nbsp;dow</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rowser&nbsp;using&nbsp;an&nbsp;exploit,&nbsp;or&nbsp;the&nbsp;user&nbsp;will&nbsp;be&nbsp;prompted&nbsp;to&nbsp;dow</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nload&nbsp;applications,&nbsp;documents,&nbsp;zip&nbsp;files,&nbsp;or&nbsp;even&nbsp;executable</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nload&nbsp;applications,&nbsp;documents,&nbsp;zip&nbsp;files,&nbsp;or&nbsp;even&nbsp;executable</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;depending&nbsp;on&nbsp;the&nbsp;pretext&nbsp;for&nbsp;the&nbsp;email&nbsp;in&nbsp;the&nbsp;first&nbsp;place.</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;depending&nbsp;on&nbsp;the&nbsp;pretext&nbsp;for&nbsp;the&nbsp;email&nbsp;in&nbsp;the&nbsp;first&nbsp;place.</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;include&nbsp;links&nbsp;that&nbsp;are&nbsp;intended&nbsp;to&nbsp;int</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;<span class="diff_add">&nbsp;</span>Adversaries&nbsp;may&nbsp;also&nbsp;include&nbsp;links&nbsp;that&nbsp;are&nbsp;intended&nbsp;to&nbsp;in</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">eract&nbsp;directly&nbsp;with&nbsp;an&nbsp;email&nbsp;reader,&nbsp;including&nbsp;embedded&nbsp;imag</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">teract&nbsp;directly&nbsp;with&nbsp;an&nbsp;email&nbsp;reader,&nbsp;including&nbsp;embedded&nbsp;ima</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">es&nbsp;intended&nbsp;to&nbsp;exploit&nbsp;the&nbsp;end&nbsp;system&nbsp;directly.&nbsp;Additionally</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ges&nbsp;intended&nbsp;to&nbsp;exploit&nbsp;the&nbsp;end&nbsp;system&nbsp;directly.&nbsp;Additionall</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;seemingly&nbsp;benign&nbsp;links&nbsp;that&nbsp;abuse&nbsp;spec</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">y,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;seemingly&nbsp;benign&nbsp;links&nbsp;that&nbsp;abuse&nbsp;spe</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ial&nbsp;characters&nbsp;to&nbsp;mimic&nbsp;legitimate&nbsp;websites&nbsp;(known&nbsp;as&nbsp;an&nbsp;"ID</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">cial&nbsp;characters&nbsp;to&nbsp;mimic&nbsp;legitimate&nbsp;websites&nbsp;(known&nbsp;as&nbsp;an&nbsp;"I</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">N&nbsp;homograph&nbsp;attack").(Citation:&nbsp;CISA&nbsp;IDN&nbsp;ST05-016)&nbsp;&nbsp;Adversar</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">DN&nbsp;homograph&nbsp;attack").(Citation:&nbsp;CISA&nbsp;IDN&nbsp;ST05-016)&nbsp;<span class="diff_add">URLs&nbsp;may</span></td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ies&nbsp;may&nbsp;also&nbsp;utilize&nbsp;links&nbsp;to&nbsp;perform&nbsp;consent&nbsp;phishing,&nbsp;typi</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;also&nbsp;be&nbsp;obfuscated&nbsp;by&nbsp;taking&nbsp;advantage&nbsp;of&nbsp;quirks&nbsp;in&nbsp;the&nbsp;URL</span></td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">cally&nbsp;with&nbsp;OAuth&nbsp;2.0&nbsp;request&nbsp;URLs&nbsp;that&nbsp;when&nbsp;accepted&nbsp;by&nbsp;the&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;schema,&nbsp;such&nbsp;as&nbsp;the&nbsp;acceptance&nbsp;of&nbsp;integer-&nbsp;or&nbsp;hexadecimal-b</span></td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">user&nbsp;provide&nbsp;permissions/access&nbsp;for&nbsp;malicious&nbsp;applications,&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ased&nbsp;hostname&nbsp;formats&nbsp;and&nbsp;the&nbsp;automatic&nbsp;discarding&nbsp;of&nbsp;text&nbsp;b</span></td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">allowing&nbsp;adversaries&nbsp;to&nbsp;&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](ht</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">efore&nbsp;an&nbsp;“@”&nbsp;symbol:&nbsp;for&nbsp;example,&nbsp;`hxxp://google.com@1157586</span></td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">tps://attack.mitre.org/techniques/T1528)s.(Citation:&nbsp;Trend&nbsp;M</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">937`.(Citation:&nbsp;Mandiant&nbsp;URL&nbsp;Obfuscation&nbsp;2023)&nbsp;</span>&nbsp;Adversaries&nbsp;</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">icro&nbsp;Pawn&nbsp;Storm&nbsp;OAuth&nbsp;2017)&nbsp;These&nbsp;stolen&nbsp;access&nbsp;tokens&nbsp;allow</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">may&nbsp;also&nbsp;utilize&nbsp;links&nbsp;to&nbsp;perform&nbsp;consent&nbsp;phishing,&nbsp;typicall</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;the&nbsp;adversary&nbsp;to&nbsp;perform&nbsp;various&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;u</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">y&nbsp;with&nbsp;OAuth&nbsp;2.0&nbsp;request&nbsp;URLs&nbsp;that&nbsp;when&nbsp;accepted&nbsp;by&nbsp;the&nbsp;user</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ser&nbsp;via&nbsp;API&nbsp;calls.&nbsp;(Citation:&nbsp;Microsoft&nbsp;OAuth&nbsp;2.0&nbsp;Consent&nbsp;Ph</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;provide&nbsp;permissions/access&nbsp;for&nbsp;malicious&nbsp;applications,&nbsp;allo</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ishing&nbsp;2021)</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">wing&nbsp;adversaries&nbsp;to&nbsp;&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](https:</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">//attack.mitre.org/techniques/T1528)s.(Citation:&nbsp;Trend&nbsp;Micro</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;Pawn&nbsp;Storm&nbsp;OAuth&nbsp;2017)&nbsp;These&nbsp;stolen&nbsp;access&nbsp;tokens&nbsp;allow&nbsp;the</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;adversary&nbsp;to&nbsp;perform&nbsp;various&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;user&nbsp;</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">via&nbsp;API&nbsp;calls.&nbsp;(Citation:&nbsp;Microsoft&nbsp;OAuth&nbsp;2.0&nbsp;Consent&nbsp;Phishi</td></tr>
-            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ng&nbsp;2021)</td></tr>
-        </tbody>
-    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-11 00:44:21.193000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-06 14:08:51.616000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
-
-All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016)
-
-Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
-
-All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.
-
-Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)
-
-Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.4</td><td style='border: 1px solid black;border-collapse: collapse;'>2.5</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant URL Obfuscation 2023', 'description': "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'}</td></tr></tbody></table></details><hr><h4>[T1598.003] Phishing for Information: Spearphishing Link</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p>
-    <table class="diff" id="difflib_chg_to17__top"
+The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation', 'description': 'ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.', 'url': 'https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Gumke, U.S. Bank</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network</td></tr></tbody></table></details><hr><h4>[T1598.003] Phishing for Information: Spearphishing Link</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p>
+    <table class="diff" id="difflib_chg_to28__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to17__0"><a href="#difflib_chg_to17__top">t</a></td><td class="diff_header" id="from17_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;messages&nbsp;with&nbsp;a&nbsp;malicious</td><td class="diff_next"><a href="#difflib_chg_to17__top">t</a></td><td class="diff_header" id="to17_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;messages&nbsp;with&nbsp;a&nbsp;malicious</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to28__0"><a href="#difflib_chg_to28__top">t</a></td><td class="diff_header" id="from28_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;messages&nbsp;with&nbsp;a&nbsp;malicious</td><td class="diff_next"><a href="#difflib_chg_to28__top">t</a></td><td class="diff_header" id="to28_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;messages&nbsp;with&nbsp;a&nbsp;malicious</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;link&nbsp;to&nbsp;elicit&nbsp;sensitive&nbsp;information&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;durin</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;link&nbsp;to&nbsp;elicit&nbsp;sensitive&nbsp;information&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;durin</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">g&nbsp;targeting.&nbsp;Spearphishing&nbsp;for&nbsp;information&nbsp;is&nbsp;an&nbsp;attempt&nbsp;to&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">g&nbsp;targeting.&nbsp;Spearphishing&nbsp;for&nbsp;information&nbsp;is&nbsp;an&nbsp;attempt&nbsp;to&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">trick&nbsp;targets&nbsp;into&nbsp;divulging&nbsp;information,&nbsp;frequently&nbsp;credent</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">trick&nbsp;targets&nbsp;into&nbsp;divulging&nbsp;information,&nbsp;frequently&nbsp;credent</td></tr>
@@ -1845,14 +1788,71 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 
 Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)
 
-From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant URL Obfuscation 2023', 'description': "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Proofpoint Human Factor', 'description': 'Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.', 'url': 'https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Austin Herrin</td></tr></tbody></table></details><hr><h4>[T1016] System Network Configuration Discovery</h4><p><b>Current version</b>: 1.6</p><p><b>Version changed from</b>: 1.5 → 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:38.842000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-28 14:40:54.580000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td><td style='border: 1px solid black;border-collapse: collapse;'>1.6</td></tr></tbody></table></details><hr><h4>[T1033] System Owner/User Discovery</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 23:35:40.261000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 19:50:06.736000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[T1543.002] Create or Modify System Process: Systemd Service</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p>
-    <table class="diff" id="difflib_chg_to16__top"
+From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant URL Obfuscation 2023', 'description': "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Proofpoint Human Factor', 'description': 'Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.', 'url': 'https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Austin Herrin</td></tr></tbody></table></details><hr><h4>[T1566.002] Phishing: Spearphishing Link</h4><p><b>Current version</b>: 2.5</p><p><b>Version changed from</b>: 2.4 → 2.5</p>
+    <table class="diff" id="difflib_chg_to24__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to16__0"><a href="#difflib_chg_to16__top">t</a></td><td class="diff_header" id="from16_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;create&nbsp;or&nbsp;modify&nbsp;systemd&nbsp;services&nbsp;to&nbsp;repeate</span></td><td class="diff_next"><a href="#difflib_chg_to16__top">t</a></td><td class="diff_header" id="to16_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;create&nbsp;or&nbsp;modify&nbsp;systemd&nbsp;services&nbsp;to&nbsp;repeate</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to24__0"><a href="#difflib_chg_to24__top">t</a></td><td class="diff_header" id="from24_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;emails&nbsp;with&nbsp;a&nbsp;malicious&nbsp;l</td><td class="diff_next"><a href="#difflib_chg_to24__top">t</a></td><td class="diff_header" id="to24_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;emails&nbsp;with&nbsp;a&nbsp;malicious&nbsp;l</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ink&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;victim&nbsp;systems.&nbsp;Spearphi</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ink&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;victim&nbsp;systems.&nbsp;Spearphi</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">shing&nbsp;with&nbsp;a&nbsp;link&nbsp;is&nbsp;a&nbsp;specific&nbsp;variant&nbsp;of&nbsp;spearphishing.&nbsp;It</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">shing&nbsp;with&nbsp;a&nbsp;link&nbsp;is&nbsp;a&nbsp;specific&nbsp;variant&nbsp;of&nbsp;spearphishing.&nbsp;It</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;is&nbsp;different&nbsp;from&nbsp;other&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;in&nbsp;that&nbsp;it&nbsp;e</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;is&nbsp;different&nbsp;from&nbsp;other&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;in&nbsp;that&nbsp;it&nbsp;e</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">mploys&nbsp;the&nbsp;use&nbsp;of&nbsp;links&nbsp;to&nbsp;download&nbsp;malware&nbsp;contained&nbsp;in&nbsp;ema</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">mploys&nbsp;the&nbsp;use&nbsp;of&nbsp;links&nbsp;to&nbsp;download&nbsp;malware&nbsp;contained&nbsp;in&nbsp;ema</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">il,&nbsp;instead&nbsp;of&nbsp;attaching&nbsp;malicious&nbsp;files&nbsp;to&nbsp;the&nbsp;email&nbsp;itself</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">il,&nbsp;instead&nbsp;of&nbsp;attaching&nbsp;malicious&nbsp;files&nbsp;to&nbsp;the&nbsp;email&nbsp;itself</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">,&nbsp;to&nbsp;avoid&nbsp;defenses&nbsp;that&nbsp;may&nbsp;inspect&nbsp;email&nbsp;attachments.&nbsp;Spea</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">,&nbsp;to&nbsp;avoid&nbsp;defenses&nbsp;that&nbsp;may&nbsp;inspect&nbsp;email&nbsp;attachments.&nbsp;Spea</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rphishing&nbsp;may&nbsp;also&nbsp;involve&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;su</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rphishing&nbsp;may&nbsp;also&nbsp;involve&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;su</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;trusted&nbsp;source.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishin</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;trusted&nbsp;source.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishin</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">g&nbsp;are&nbsp;electronically&nbsp;delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;a</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">g&nbsp;are&nbsp;electronically&nbsp;delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;a</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">t&nbsp;a&nbsp;specific&nbsp;individual,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;case,</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">t&nbsp;a&nbsp;specific&nbsp;individual,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;case,</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;the&nbsp;malicious&nbsp;emails&nbsp;contain&nbsp;links.&nbsp;Generally,&nbsp;the&nbsp;links&nbsp;wi</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;the&nbsp;malicious&nbsp;emails&nbsp;contain&nbsp;links.&nbsp;Generally,&nbsp;the&nbsp;links&nbsp;wi</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ll&nbsp;be&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineering&nbsp;text&nbsp;and&nbsp;require&nbsp;the</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ll&nbsp;be&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineering&nbsp;text&nbsp;and&nbsp;require&nbsp;the</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;brows</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;brows</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">er,&nbsp;leveraging&nbsp;[User&nbsp;Execution](https://attack.mitre.org/tec</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">er,&nbsp;leveraging&nbsp;[User&nbsp;Execution](https://attack.mitre.org/tec</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">hniques/T1204).&nbsp;The&nbsp;visited&nbsp;website&nbsp;may&nbsp;compromise&nbsp;the&nbsp;web&nbsp;b</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">hniques/T1204).&nbsp;The&nbsp;visited&nbsp;website&nbsp;may&nbsp;compromise&nbsp;the&nbsp;web&nbsp;b</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rowser&nbsp;using&nbsp;an&nbsp;exploit,&nbsp;or&nbsp;the&nbsp;user&nbsp;will&nbsp;be&nbsp;prompted&nbsp;to&nbsp;dow</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rowser&nbsp;using&nbsp;an&nbsp;exploit,&nbsp;or&nbsp;the&nbsp;user&nbsp;will&nbsp;be&nbsp;prompted&nbsp;to&nbsp;dow</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nload&nbsp;applications,&nbsp;documents,&nbsp;zip&nbsp;files,&nbsp;or&nbsp;even&nbsp;executable</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nload&nbsp;applications,&nbsp;documents,&nbsp;zip&nbsp;files,&nbsp;or&nbsp;even&nbsp;executable</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;depending&nbsp;on&nbsp;the&nbsp;pretext&nbsp;for&nbsp;the&nbsp;email&nbsp;in&nbsp;the&nbsp;first&nbsp;place.</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;depending&nbsp;on&nbsp;the&nbsp;pretext&nbsp;for&nbsp;the&nbsp;email&nbsp;in&nbsp;the&nbsp;first&nbsp;place.</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;include&nbsp;links&nbsp;that&nbsp;are&nbsp;intended&nbsp;to&nbsp;int</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;<span class="diff_add">&nbsp;</span>Adversaries&nbsp;may&nbsp;also&nbsp;include&nbsp;links&nbsp;that&nbsp;are&nbsp;intended&nbsp;to&nbsp;in</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">eract&nbsp;directly&nbsp;with&nbsp;an&nbsp;email&nbsp;reader,&nbsp;including&nbsp;embedded&nbsp;imag</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">teract&nbsp;directly&nbsp;with&nbsp;an&nbsp;email&nbsp;reader,&nbsp;including&nbsp;embedded&nbsp;ima</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">es&nbsp;intended&nbsp;to&nbsp;exploit&nbsp;the&nbsp;end&nbsp;system&nbsp;directly.&nbsp;Additionally</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ges&nbsp;intended&nbsp;to&nbsp;exploit&nbsp;the&nbsp;end&nbsp;system&nbsp;directly.&nbsp;Additionall</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;seemingly&nbsp;benign&nbsp;links&nbsp;that&nbsp;abuse&nbsp;spec</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">y,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;seemingly&nbsp;benign&nbsp;links&nbsp;that&nbsp;abuse&nbsp;spe</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ial&nbsp;characters&nbsp;to&nbsp;mimic&nbsp;legitimate&nbsp;websites&nbsp;(known&nbsp;as&nbsp;an&nbsp;"ID</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">cial&nbsp;characters&nbsp;to&nbsp;mimic&nbsp;legitimate&nbsp;websites&nbsp;(known&nbsp;as&nbsp;an&nbsp;"I</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">N&nbsp;homograph&nbsp;attack").(Citation:&nbsp;CISA&nbsp;IDN&nbsp;ST05-016)&nbsp;&nbsp;Adversar</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">DN&nbsp;homograph&nbsp;attack").(Citation:&nbsp;CISA&nbsp;IDN&nbsp;ST05-016)&nbsp;<span class="diff_add">URLs&nbsp;may</span></td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ies&nbsp;may&nbsp;also&nbsp;utilize&nbsp;links&nbsp;to&nbsp;perform&nbsp;consent&nbsp;phishing,&nbsp;typi</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;also&nbsp;be&nbsp;obfuscated&nbsp;by&nbsp;taking&nbsp;advantage&nbsp;of&nbsp;quirks&nbsp;in&nbsp;the&nbsp;URL</span></td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">cally&nbsp;with&nbsp;OAuth&nbsp;2.0&nbsp;request&nbsp;URLs&nbsp;that&nbsp;when&nbsp;accepted&nbsp;by&nbsp;the&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;schema,&nbsp;such&nbsp;as&nbsp;the&nbsp;acceptance&nbsp;of&nbsp;integer-&nbsp;or&nbsp;hexadecimal-b</span></td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">user&nbsp;provide&nbsp;permissions/access&nbsp;for&nbsp;malicious&nbsp;applications,&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ased&nbsp;hostname&nbsp;formats&nbsp;and&nbsp;the&nbsp;automatic&nbsp;discarding&nbsp;of&nbsp;text&nbsp;b</span></td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">allowing&nbsp;adversaries&nbsp;to&nbsp;&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](ht</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">efore&nbsp;an&nbsp;“@”&nbsp;symbol:&nbsp;for&nbsp;example,&nbsp;`hxxp://google.com@1157586</span></td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">tps://attack.mitre.org/techniques/T1528)s.(Citation:&nbsp;Trend&nbsp;M</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">937`.(Citation:&nbsp;Mandiant&nbsp;URL&nbsp;Obfuscation&nbsp;2023)&nbsp;</span>&nbsp;Adversaries&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">icro&nbsp;Pawn&nbsp;Storm&nbsp;OAuth&nbsp;2017)&nbsp;These&nbsp;stolen&nbsp;access&nbsp;tokens&nbsp;allow</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">may&nbsp;also&nbsp;utilize&nbsp;links&nbsp;to&nbsp;perform&nbsp;consent&nbsp;phishing,&nbsp;typicall</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;the&nbsp;adversary&nbsp;to&nbsp;perform&nbsp;various&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;u</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">y&nbsp;with&nbsp;OAuth&nbsp;2.0&nbsp;request&nbsp;URLs&nbsp;that&nbsp;when&nbsp;accepted&nbsp;by&nbsp;the&nbsp;user</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ser&nbsp;via&nbsp;API&nbsp;calls.&nbsp;(Citation:&nbsp;Microsoft&nbsp;OAuth&nbsp;2.0&nbsp;Consent&nbsp;Ph</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;provide&nbsp;permissions/access&nbsp;for&nbsp;malicious&nbsp;applications,&nbsp;allo</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ishing&nbsp;2021)</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">wing&nbsp;adversaries&nbsp;to&nbsp;&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](https:</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">//attack.mitre.org/techniques/T1528)s.(Citation:&nbsp;Trend&nbsp;Micro</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;Pawn&nbsp;Storm&nbsp;OAuth&nbsp;2017)&nbsp;These&nbsp;stolen&nbsp;access&nbsp;tokens&nbsp;allow&nbsp;the</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;adversary&nbsp;to&nbsp;perform&nbsp;various&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;user&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">via&nbsp;API&nbsp;calls.&nbsp;(Citation:&nbsp;Microsoft&nbsp;OAuth&nbsp;2.0&nbsp;Consent&nbsp;Phishi</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ng&nbsp;2021)</td></tr>
+        </tbody>
+    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-11 00:44:21.193000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-06 14:08:51.616000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
+
+All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016)
+
+Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
+
+All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.
+
+Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)
+
+Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.4</td><td style='border: 1px solid black;border-collapse: collapse;'>2.5</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant URL Obfuscation 2023', 'description': "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.", 'url': 'https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse'}</td></tr></tbody></table></details><hr><h4>[T1016] System Network Configuration Discovery</h4><p><b>Current version</b>: 1.6</p><p><b>Version changed from</b>: 1.5 → 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:38.842000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-28 14:40:54.580000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td><td style='border: 1px solid black;border-collapse: collapse;'>1.6</td></tr></tbody></table></details><hr><h4>[T1033] System Owner/User Discovery</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-12 23:35:40.261000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 19:50:06.736000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[T1543.002] Create or Modify System Process: Systemd Service</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p>
+    <table class="diff" id="difflib_chg_to15__top"
+           cellspacing="0" cellpadding="0" rules="groups" >
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
+        <tbody>
+            <tr><td class="diff_next" id="difflib_chg_to15__0"><a href="#difflib_chg_to15__top">t</a></td><td class="diff_header" id="from15_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;create&nbsp;or&nbsp;modify&nbsp;systemd&nbsp;services&nbsp;to&nbsp;repeate</span></td><td class="diff_next"><a href="#difflib_chg_to15__top">t</a></td><td class="diff_header" id="to15_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;create&nbsp;or&nbsp;modify&nbsp;systemd&nbsp;services&nbsp;to&nbsp;repeate</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">dly&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;as&nbsp;part&nbsp;of&nbsp;persistence.&nbsp;Syste</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">dly&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;as&nbsp;part&nbsp;of&nbsp;persistence.&nbsp;Syste</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">md&nbsp;is&nbsp;a&nbsp;system&nbsp;and&nbsp;service&nbsp;manager&nbsp;commonly&nbsp;used&nbsp;for&nbsp;managin</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">md&nbsp;is&nbsp;a&nbsp;system&nbsp;and&nbsp;service&nbsp;manager&nbsp;commonly&nbsp;used&nbsp;for&nbsp;managin</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">g&nbsp;background&nbsp;daemon&nbsp;processes&nbsp;(also&nbsp;known&nbsp;as&nbsp;services)&nbsp;and&nbsp;o</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">g&nbsp;background&nbsp;daemon&nbsp;processes&nbsp;(also&nbsp;known&nbsp;as&nbsp;services)&nbsp;and&nbsp;o</span></td></tr>
@@ -1909,13 +1909,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.  
 
 Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) </td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'airwalk backdoor unix systems', 'description': 'airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.', 'url': 'http://www.ouah.org/backdoors.html'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Tim (Wadhwa-)Brown</td></tr></tbody></table></details><hr><h4>[T1053.006] Scheduled Task/Job: Systemd Timers</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p>
-    <table class="diff" id="difflib_chg_to37__top"
+    <table class="diff" id="difflib_chg_to21__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to37__0"><a href="#difflib_chg_to37__top">t</a></td><td class="diff_header" id="from37_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;abuse&nbsp;systemd&nbsp;timers&nbsp;to&nbsp;perform&nbsp;task&nbsp;schedul</td><td class="diff_next"><a href="#difflib_chg_to37__top">t</a></td><td class="diff_header" id="to37_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;abuse&nbsp;systemd&nbsp;timers&nbsp;to&nbsp;perform&nbsp;task&nbsp;schedul</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to21__0"><a href="#difflib_chg_to21__top">t</a></td><td class="diff_header" id="from21_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;abuse&nbsp;systemd&nbsp;timers&nbsp;to&nbsp;perform&nbsp;task&nbsp;schedul</td><td class="diff_next"><a href="#difflib_chg_to21__top">t</a></td><td class="diff_header" id="to21_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;abuse&nbsp;systemd&nbsp;timers&nbsp;to&nbsp;perform&nbsp;task&nbsp;schedul</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ing&nbsp;for&nbsp;initial&nbsp;or&nbsp;recurring&nbsp;execution&nbsp;of&nbsp;malicious&nbsp;code.&nbsp;Sy</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ing&nbsp;for&nbsp;initial&nbsp;or&nbsp;recurring&nbsp;execution&nbsp;of&nbsp;malicious&nbsp;code.&nbsp;Sy</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">stemd&nbsp;timers&nbsp;are&nbsp;unit&nbsp;files&nbsp;with&nbsp;file&nbsp;extension&nbsp;&lt;code&gt;.timer</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">stemd&nbsp;timers&nbsp;are&nbsp;unit&nbsp;files&nbsp;with&nbsp;file&nbsp;extension&nbsp;&lt;code&gt;.timer</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&lt;/code&gt;&nbsp;that&nbsp;control&nbsp;services.&nbsp;Timers&nbsp;can&nbsp;be&nbsp;set&nbsp;to&nbsp;run&nbsp;on&nbsp;a</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&lt;/code&gt;&nbsp;that&nbsp;control&nbsp;services.&nbsp;Timers&nbsp;can&nbsp;be&nbsp;set&nbsp;to&nbsp;run&nbsp;on&nbsp;a</td></tr>
@@ -1955,13 +1955,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.
 
 An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Falcon Sandbox smp: 28553b3a9d', 'description': 'Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.', 'url': 'https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300'}</td></tr></tbody></table></details><hr><h4>[T1080] Taint Shared Content</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><p><b>New Mitigations</b>:</p><ul>  <li>M1049: Antivirus/Antimalware</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:36.145000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-05-31 12:33:20.915000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[T1134.001] Access Token Manipulation: Token Impersonation/Theft</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-11 21:19:05.544000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 21:08:45.174000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1071.001] Application Layer Protocol: Web Protocols</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-11 15:21:27.965000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 20:22:37.414000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1059.003] Command and Scripting Interpreter: Windows Command Shell</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-07-26 17:13:07.345000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-28 17:50:21.947000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1047] Windows Management Instrumentation</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><p><b>New Detections</b>:</p><ul>  <li>DS0005: WMI (WMI Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-07 17:10:13.696000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-24 20:38:58.283000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Olaf Hartong, Falcon Force</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>WMI: WMI Creation</td></tr></tbody></table></details><hr><h4>[T1021.006] Remote Services: Windows Remote Management</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0029: Network Traffic (Network Traffic Flow)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['User', 'Administrator']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-06-23 19:22:52.870000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-11 15:26:41.941000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network Traffic: Network Traffic Flow</td></tr></tbody></table></details><hr><h4>[T1543.003] Create or Modify System Process: Windows Service</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><p><b>New Detections</b>:</p><ul>  <li>DS0022: File (File Metadata)</li>  <li>DS0029: Network Traffic (Network Traffic Flow)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-21 12:30:35.872000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-15 16:42:25.014000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Network Traffic: Network Traffic Flow</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_data_sources</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>File: File Metadata</td></tr></tbody></table></details><hr><h4>[T1547.004] Boot or Logon Autostart Execution: Winlogon Helper DLL</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 21:01:47.069000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 15:11:30.220000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1547.013] Boot or Logon Autostart Execution: XDG Autostart Entries</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p>
-    <table class="diff" id="difflib_chg_to3__top"
+    <table class="diff" id="difflib_chg_to39__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to3__0"><a href="#difflib_chg_to3__top">t</a></td><td class="diff_header" id="from3_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;modify&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;to&nbsp;execute&nbsp;prog</span></td><td class="diff_next"><a href="#difflib_chg_to3__top">t</a></td><td class="diff_header" id="to3_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;add&nbsp;or&nbsp;modify&nbsp;XDG&nbsp;Autostart&nbsp;Entries&nbsp;to&nbsp;execu</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to39__0"><a href="#difflib_chg_to39__top">t</a></td><td class="diff_header" id="from39_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;modify&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;to&nbsp;execute&nbsp;prog</span></td><td class="diff_next"><a href="#difflib_chg_to39__top">t</a></td><td class="diff_header" id="to39_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;add&nbsp;or&nbsp;modify&nbsp;XDG&nbsp;Autostart&nbsp;Entries&nbsp;to&nbsp;execu</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">rams&nbsp;or&nbsp;commands&nbsp;during&nbsp;system&nbsp;boot.&nbsp;Linux&nbsp;desktop&nbsp;environme</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">te&nbsp;malicious&nbsp;programs&nbsp;or&nbsp;commands&nbsp;when&nbsp;a&nbsp;user’s&nbsp;desktop&nbsp;envi</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">nts&nbsp;that&nbsp;are&nbsp;XDG&nbsp;compliant&nbsp;implement&nbsp;functionality&nbsp;for&nbsp;XDG&nbsp;a</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ronment&nbsp;is&nbsp;loaded&nbsp;at&nbsp;login.&nbsp;XDG&nbsp;Autostart&nbsp;entries&nbsp;are&nbsp;availa</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">utostart&nbsp;entries.&nbsp;These&nbsp;entries&nbsp;will&nbsp;allow&nbsp;an&nbsp;application&nbsp;to</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ble&nbsp;for&nbsp;any&nbsp;XDG-compliant&nbsp;Linux&nbsp;system.&nbsp;XDG&nbsp;Autostart&nbsp;entrie</span></td></tr>
@@ -1995,13 +1995,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user’s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.
 
 Adversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Red Canary Netwire Linux 2022', 'description': 'TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.', 'url': 'https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/'}</td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[T1550.001] Use Alternate Authentication Material: Application Access Token</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-05-04 18:04:17.588000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-19 21:24:45.231000+00:00</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Jack Burns, HubSpot</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'>Jen Burns, HubSpot</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T1003.005] OS Credential Dumping: Cached Domain Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['SYSTEM']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-03-24 20:41:08.996000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-19 18:37:57.025000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[1]['description']</td><td style='border: 1px solid black;border-collapse: collapse;'>Microsfot. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.</td><td style='border: 1px solid black;border-collapse: collapse;'>Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.</td></tr></tbody></table></details><hr><h4>[T1526] Cloud Service Discovery</h4><p><b>Current version</b>: 1.3</p>
-    <table class="diff" id="difflib_chg_to12__top"
+    <table class="diff" id="difflib_chg_to11__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to12__0"><a href="#difflib_chg_to12__top">t</a></td><td class="diff_header" id="from12_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;attempt&nbsp;to&nbsp;enumerate&nbsp;the&nbsp;cloud&nbsp;services&nbsp;run</td><td class="diff_next"><a href="#difflib_chg_to12__top">t</a></td><td class="diff_header" id="to12_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;attempt&nbsp;to&nbsp;enumerate&nbsp;the&nbsp;cloud&nbsp;services&nbsp;run</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to11__0"><a href="#difflib_chg_to11__top">t</a></td><td class="diff_header" id="from11_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;attempt&nbsp;to&nbsp;enumerate&nbsp;the&nbsp;cloud&nbsp;services&nbsp;run</td><td class="diff_next"><a href="#difflib_chg_to11__top">t</a></td><td class="diff_header" id="to11_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;attempt&nbsp;to&nbsp;enumerate&nbsp;the&nbsp;cloud&nbsp;services&nbsp;run</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ning&nbsp;on&nbsp;a&nbsp;system&nbsp;after&nbsp;gaining&nbsp;access.&nbsp;These&nbsp;methods&nbsp;can&nbsp;dif</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ning&nbsp;on&nbsp;a&nbsp;system&nbsp;after&nbsp;gaining&nbsp;access.&nbsp;These&nbsp;methods&nbsp;can&nbsp;dif</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">fer&nbsp;from&nbsp;platform-as-a-service&nbsp;(PaaS),&nbsp;to&nbsp;infrastructure-as-</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">fer&nbsp;from&nbsp;platform-as-a-service&nbsp;(PaaS),&nbsp;to&nbsp;infrastructure-as-</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">a-service&nbsp;(IaaS),&nbsp;or&nbsp;software-as-a-service&nbsp;(SaaS).&nbsp;Many&nbsp;serv</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">a-service&nbsp;(IaaS),&nbsp;or&nbsp;software-as-a-service&nbsp;(SaaS).&nbsp;Many&nbsp;serv</td></tr>
@@ -2043,13 +2043,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
 
 Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).</td></tr></tbody></table></details><hr><h4>[T1218.001] System Binary Proxy Execution: Compiled HTML File</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-21 12:23:17.694000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-18 16:31:56.936000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[5]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://msitpros.com/?p=3909</td><td style='border: 1px solid black;border-collapse: collapse;'>https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr></tbody></table></details><hr><h4>[T1036.008] Masquerading: Masquerade File Type</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-11 22:37:42.319000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-06-14 23:03:51.540000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors[1]</td><td style='border: 1px solid black;border-collapse: collapse;'>Ben Smith</td><td style='border: 1px solid black;border-collapse: collapse;'>Ben Smith, @ezaspy</td></tr></tbody></table></details><hr><h4>[T1546.013] Event Triggered Execution: PowerShell Profile</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-02-08 16:39:08.851000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-20 17:04:13.976000+00:00</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Matt Green, @mgreen27</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'>Matthew Green</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T1036.003] Masquerading: Rename System Utilities</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-07 17:07:20.038000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-14 21:12:48.411000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[2]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.elastic.co/blog/how-hunt-masquerade-ball</td></tr></tbody></table></details><hr><h4>[T1091] Replication Through Removable Media</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-21 19:14:13.179000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-17 20:42:21.453000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Joas Antonio dos Santos, @Cr4zyC0d3</td><td style='border: 1px solid black;border-collapse: collapse;'>Joas Antonio dos Santos, @C0d3Cr4zy</td></tr></tbody></table></details><hr><h4>[T1606.002] Forge Web Credentials: SAML Tokens</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_permissions_required</td><td style='border: 1px solid black;border-collapse: collapse;'>['Administrator']</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-09-20 16:47:19.173000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-19 21:25:46.568000+00:00</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Jack Burns, HubSpot</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'>Jen Burns, HubSpot</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T1528] Steal Application Access Token</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-21 16:25:11.482000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-19 21:23:50.233000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors[6]</td><td style='border: 1px solid black;border-collapse: collapse;'>Jen Burns, HubSpot</td><td style='border: 1px solid black;border-collapse: collapse;'>Jack Burns, HubSpot</td></tr></tbody></table></details><hr><h4>[T1539] Steal Web Session Cookie</h4><p><b>Current version</b>: 1.2</p>
-    <table class="diff" id="difflib_chg_to33__top"
+    <table class="diff" id="difflib_chg_to37__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to33__0"><a href="#difflib_chg_to33__top">t</a></td><td class="diff_header" id="from33_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;steal&nbsp;web&nbsp;application&nbsp;or&nbsp;service&nbsp;session&nbsp;co</td><td class="diff_next"><a href="#difflib_chg_to33__top">t</a></td><td class="diff_header" id="to33_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;steal&nbsp;web&nbsp;application&nbsp;or&nbsp;service&nbsp;session&nbsp;co</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to37__0"><a href="#difflib_chg_to37__top">t</a></td><td class="diff_header" id="from37_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;steal&nbsp;web&nbsp;application&nbsp;or&nbsp;service&nbsp;session&nbsp;co</td><td class="diff_next"><a href="#difflib_chg_to37__top">t</a></td><td class="diff_header" id="to37_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;may&nbsp;steal&nbsp;web&nbsp;application&nbsp;or&nbsp;service&nbsp;session&nbsp;co</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">okies&nbsp;and&nbsp;use&nbsp;them&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Int</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">okies&nbsp;and&nbsp;use&nbsp;them&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Int</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ernet&nbsp;services&nbsp;as&nbsp;an&nbsp;authenticated&nbsp;user&nbsp;without&nbsp;needing&nbsp;cred</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ernet&nbsp;services&nbsp;as&nbsp;an&nbsp;authenticated&nbsp;user&nbsp;without&nbsp;needing&nbsp;cred</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">entials.&nbsp;Web&nbsp;applications&nbsp;and&nbsp;services&nbsp;often&nbsp;use&nbsp;session&nbsp;coo</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">entials.&nbsp;Web&nbsp;applications&nbsp;and&nbsp;services&nbsp;often&nbsp;use&nbsp;session&nbsp;coo</td></tr>
@@ -2120,13 +2120,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 </p><hr><h4>[T1663] Remote Access Software</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices.  
 
 Remote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.  </p></details><details><summary>Minor Version Changes</summary><hr><h4>[T1481.002] Web Service: Bidirectional Communication</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-16 13:32:55.266000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:34:55.968000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1616] Call Control</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0042: User Interface (System Notifications)</li></ul><p><b>Dropped Detections</b>:</p><ul>  <li>DS0041: Application Vetting (Permissions Requests)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-16 18:31:37.189000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-10 21:57:52.009000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1623] Command and Scripting Interpreter</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0017: Command (Command Execution)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 15:16:19.547000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-07 22:15:34.693000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1481.001] Web Service: Dead Drop Resolver</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0029: Network Traffic (Network Connection Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 15:56:04.790000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:33:56.861000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1637.001] Dynamic Resolution: Domain Generation Algorithms</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><p><b>New Detections</b>:</p><ul>  <li>DS0041: Application Vetting (Network Communication)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-05 19:59:22.888000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:19:54.832000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1407] Download New Code at Runtime</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><p><b>New Detections</b>:</p><ul>  <li>DS0041: Application Vetting (Network Communication)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 18:21:59.494000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-08 16:23:41.271000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[T1456] Drive-By Compromise</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 18:24:56.530000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-07 17:12:07.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details><hr><h4>[T1637] Dynamic Resolution</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><p><b>New Detections</b>:</p><ul>  <li>DS0041: Application Vetting (Network Communication)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-05 19:57:15.734000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:19:34.225000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1639] Exfiltration Over Alternative Protocol</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-29 17:29:00.038000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:39:22.707000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_detection</td><td style='border: 1px solid black;border-collapse: collapse;'>Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.</td><td style='border: 1px solid black;border-collapse: collapse;'>[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1646] Exfiltration Over C2 Channel</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-08 16:25:44.552000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:41:52+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_detection</td><td style='border: 1px solid black;border-collapse: collapse;'>Exfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.</td><td style='border: 1px solid black;border-collapse: collapse;'>[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1639.001] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-06 13:23:10.087000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:40:40.166000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_detection</td><td style='border: 1px solid black;border-collapse: collapse;'>Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.</td><td style='border: 1px solid black;border-collapse: collapse;'>[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[T1544] Ingress Tool Transfer</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 18:43:44.687000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:21:05.728000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details><hr><h4>[T1516] Input Injection</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0042: User Interface (System Settings)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-24 15:09:07.609000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-08 22:50:32.775000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1461] Lockscreen Bypass</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p>
-    <table class="diff" id="difflib_chg_to50__top"
+    <table class="diff" id="difflib_chg_to51__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to50__0"><a href="#difflib_chg_to50__top">t</a></td><td class="diff_header" id="from50_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;with&nbsp;physical&nbsp;access&nbsp;to&nbsp;a&nbsp;mobile&nbsp;device&nbsp;may&nbsp;see</td><td class="diff_next"><a href="#difflib_chg_to50__top">t</a></td><td class="diff_header" id="to50_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;with&nbsp;physical&nbsp;access&nbsp;to&nbsp;a&nbsp;mobile&nbsp;device&nbsp;may&nbsp;see</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to51__0"><a href="#difflib_chg_to51__top">t</a></td><td class="diff_header" id="from51_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;with&nbsp;physical&nbsp;access&nbsp;to&nbsp;a&nbsp;mobile&nbsp;device&nbsp;may&nbsp;see</td><td class="diff_next"><a href="#difflib_chg_to51__top">t</a></td><td class="diff_header" id="to51_1">1</td><td nowrap="nowrap">An&nbsp;adversary&nbsp;with&nbsp;physical&nbsp;access&nbsp;to&nbsp;a&nbsp;mobile&nbsp;device&nbsp;may&nbsp;see</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">k&nbsp;to&nbsp;bypass&nbsp;the&nbsp;device’s&nbsp;lockscreen.&nbsp;Several&nbsp;methods&nbsp;exist&nbsp;t</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">k&nbsp;to&nbsp;bypass&nbsp;the&nbsp;device’s&nbsp;lockscreen.&nbsp;Several&nbsp;methods&nbsp;exist&nbsp;t</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">o&nbsp;accomplish&nbsp;this,&nbsp;including:&nbsp;&nbsp;*&nbsp;Biometric&nbsp;spoofing:&nbsp;If&nbsp;biom</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">o&nbsp;accomplish&nbsp;this,&nbsp;including:&nbsp;&nbsp;*&nbsp;Biometric&nbsp;spoofing:&nbsp;If&nbsp;biom</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">etric&nbsp;authentication&nbsp;is&nbsp;used,&nbsp;an&nbsp;adversary&nbsp;could&nbsp;attempt&nbsp;to&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">etric&nbsp;authentication&nbsp;is&nbsp;used,&nbsp;an&nbsp;adversary&nbsp;could&nbsp;attempt&nbsp;to&nbsp;</td></tr>
@@ -2160,13 +2160,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 * Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.
 * Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)
 </td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[T1406] Obfuscated Files or Information</h4><p><b>Current version</b>: 3.1</p><p><b>Version changed from</b>: 3.0 → 3.1</p><p><b>New Detections</b>:</p><ul>  <li>DS0041: Application Vetting (API Calls)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-06 12:36:31.652000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 14:38:34.859000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td></tr></tbody></table></details><hr><h4>[T1481.003] Web Service: One-Way Communication</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0029: Network Traffic (Network Connection Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 18:53:34.118000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:35:55.739000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1629.001] Impair Defenses: Prevent Application Removal</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p>
-    <table class="diff" id="difflib_chg_to52__top"
+    <table class="diff" id="difflib_chg_to49__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to52__0"><a href="#difflib_chg_to52__top">t</a></td><td class="diff_header" id="from52_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;Android&nbsp;device&nbsp;administration&nbsp;API&nbsp;</span></td><td class="diff_next"><a href="#difflib_chg_to52__top">t</a></td><td class="diff_header" id="to52_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;Android&nbsp;device&nbsp;administration&nbsp;API&nbsp;</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to49__0"><a href="#difflib_chg_to49__top">t</a></td><td class="diff_header" id="from49_1">1</td><td nowrap="nowrap"><span class="diff_sub">Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;Android&nbsp;device&nbsp;administration&nbsp;API&nbsp;</span></td><td class="diff_next"><a href="#difflib_chg_to49__top">t</a></td><td class="diff_header" id="to49_1">1</td><td nowrap="nowrap"><span class="diff_add">Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;Android&nbsp;device&nbsp;administration&nbsp;API&nbsp;</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">to&nbsp;prevent&nbsp;the&nbsp;user&nbsp;from&nbsp;uninstalling&nbsp;a&nbsp;target&nbsp;application.&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">to&nbsp;prevent&nbsp;the&nbsp;user&nbsp;from&nbsp;uninstalling&nbsp;a&nbsp;target&nbsp;application.&nbsp;</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">In&nbsp;earlier&nbsp;versions&nbsp;of&nbsp;Android,&nbsp;device&nbsp;administrator&nbsp;applica</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">In&nbsp;earlier&nbsp;versions&nbsp;of&nbsp;Android,&nbsp;device&nbsp;administrator&nbsp;applica</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">tions&nbsp;needed&nbsp;their&nbsp;administration&nbsp;capabilities&nbsp;explicitly&nbsp;de</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">tions&nbsp;needed&nbsp;their&nbsp;administration&nbsp;capabilities&nbsp;explicitly&nbsp;de</span></td></tr>
@@ -2201,13 +2201,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 * Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen 
 
 * Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event </td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1458] Replication Through Removable Media</h4><p><b>Current version</b>: 2.1</p><p><b>Version changed from</b>: 2.0 → 2.1</p><p><b>New Detections</b>:</p><ul>  <li>DS0013: Sensor Health (Host Status)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-08 15:53:11.864000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-07 17:13:04.396000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td></tr></tbody></table></details><hr><h4>[T1623.001] Command and Scripting Interpreter: Unix Shell</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Detections</b>:</p><ul>  <li>DS0009: Process (Process Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 18:41:18.389000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-07 22:48:30.418000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[T1481] Web Service</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><p><b>New Detections</b>:</p><ul>  <li>DS0029: Network Traffic (Network Connection Creation)</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 18:37:13.730000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-14 16:31:37.317000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[T1634] Credentials from Password Store</h4><p><b>Current version</b>: 1.1</p>
-    <table class="diff" id="difflib_chg_to53__top"
+    <table class="diff" id="difflib_chg_to50__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to53__0"><a href="#difflib_chg_to53__top">t</a></td><td class="diff_header" id="from53_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;search&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations&nbsp;to&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to53__top">t</a></td><td class="diff_header" id="to53_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;search&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations&nbsp;to&nbsp;</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to50__0"><a href="#difflib_chg_to50__top">t</a></td><td class="diff_header" id="from50_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;search&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations&nbsp;to&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to50__top">t</a></td><td class="diff_header" id="to50_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;search&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations&nbsp;to&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;can&nbsp;be&nbsp;stored&nbsp;in&nbsp;several&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;can&nbsp;be&nbsp;stored&nbsp;in&nbsp;several&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">places&nbsp;on&nbsp;a&nbsp;device,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;app</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">places&nbsp;on&nbsp;a&nbsp;device,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;app</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">lication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;ap</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">lication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;ap</td></tr>
@@ -2247,13 +2247,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. </td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. 
 
 When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. </td></tr></tbody></table></details><hr><h4>[T1430.002] Location Tracking: Impersonate SS7 Nodes</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 18:41:45.256000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-15 15:06:03.427000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[2]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf</td><td style='border: 1px solid black;border-collapse: collapse;'>https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf</td></tr></tbody></table></details><hr><h4>[T1509] Non-Standard Port</h4><p><b>Current version</b>: 2.1</p>
-    <table class="diff" id="difflib_chg_to51__top"
+    <table class="diff" id="difflib_chg_to52__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to51__0"><a href="#difflib_chg_to51__top">t</a></td><td class="diff_header" id="from51_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;generate&nbsp;network&nbsp;traffic&nbsp;using&nbsp;a&nbsp;protocol&nbsp;an</td><td class="diff_next"><a href="#difflib_chg_to51__top">t</a></td><td class="diff_header" id="to51_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;generate&nbsp;network&nbsp;traffic&nbsp;using&nbsp;a&nbsp;protocol&nbsp;an</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to52__0"><a href="#difflib_chg_to52__top">t</a></td><td class="diff_header" id="from52_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;generate&nbsp;network&nbsp;traffic&nbsp;using&nbsp;a&nbsp;protocol&nbsp;an</td><td class="diff_next"><a href="#difflib_chg_to52__top">t</a></td><td class="diff_header" id="to52_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;generate&nbsp;network&nbsp;traffic&nbsp;using&nbsp;a&nbsp;protocol&nbsp;an</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">d&nbsp;port&nbsp;pa<span class="diff_chg">ring</span>&nbsp;that&nbsp;are&nbsp;typically&nbsp;not&nbsp;associated.&nbsp;For&nbsp;example</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">d&nbsp;port&nbsp;pa<span class="diff_chg">iring</span>&nbsp;that&nbsp;are&nbsp;typically&nbsp;not&nbsp;associated.&nbsp;For&nbsp;exampl</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">,&nbsp;HTTPS&nbsp;over&nbsp;port&nbsp;8088&nbsp;or&nbsp;port&nbsp;587&nbsp;as&nbsp;opposed&nbsp;to&nbsp;the&nbsp;traditi</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">e,&nbsp;HTTPS&nbsp;over&nbsp;port&nbsp;8088&nbsp;or&nbsp;port&nbsp;587&nbsp;as&nbsp;opposed&nbsp;to&nbsp;the&nbsp;tradit</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">onal&nbsp;port&nbsp;443.&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;changes&nbsp;to&nbsp;the&nbsp;standard&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ional&nbsp;port&nbsp;443.&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;changes&nbsp;to&nbsp;the&nbsp;standard</td></tr>
@@ -2261,13 +2261,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">is/parsing&nbsp;of&nbsp;network&nbsp;data.</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">sis/parsing&nbsp;of&nbsp;network&nbsp;data.</td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-20 18:51:58.228000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-08 19:21:40.736000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.</td></tr></tbody></table></details><hr><h4>[T1625.001] Hijack Execution Flow: System Runtime API Hijacking</h4><p><b>Current version</b>: 1.1</p>
-    <table class="diff" id="difflib_chg_to49__top"
+    <table class="diff" id="difflib_chg_to53__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to49__0"><a href="#difflib_chg_to49__top">t</a></td><td class="diff_header" id="from49_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</td><td class="diff_next"><a href="#difflib_chg_to49__top">t</a></td><td class="diff_header" id="to49_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to53__0"><a href="#difflib_chg_to53__top">t</a></td><td class="diff_header" id="from53_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</td><td class="diff_next"><a href="#difflib_chg_to53__top">t</a></td><td class="diff_header" id="to53_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">cking&nbsp;the&nbsp;way&nbsp;an&nbsp;operating&nbsp;system&nbsp;run&nbsp;applications.&nbsp;Hijackin</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">cking&nbsp;the&nbsp;way&nbsp;an&nbsp;operating&nbsp;system&nbsp;run<span class="diff_add">s</span>&nbsp;applications.&nbsp;Hijacki</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">g&nbsp;execution&nbsp;flow&nbsp;can&nbsp;be&nbsp;for&nbsp;the&nbsp;purposes&nbsp;of&nbsp;persistence&nbsp;sinc</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ng&nbsp;execution&nbsp;flow&nbsp;can&nbsp;be&nbsp;for&nbsp;the&nbsp;purposes&nbsp;of&nbsp;persistence&nbsp;sin</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">e&nbsp;this&nbsp;hijacked&nbsp;execution&nbsp;may&nbsp;reoccur&nbsp;at&nbsp;later&nbsp;points&nbsp;in&nbsp;tim</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ce&nbsp;this&nbsp;hijacked&nbsp;execution&nbsp;may&nbsp;reoccur&nbsp;at&nbsp;later&nbsp;points&nbsp;in&nbsp;ti</td></tr>
@@ -2284,13 +2284,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
 
 
 On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Minor Version Changes</summary><hr><h4>[T0803] Block Command Message</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_detection</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-24 15:09:07.609000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:58.380000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Device Configuration/Parameters</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0821] Modify Controller Tasking</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Mitigations</b>:</p><ul>  <li>M0800: Authorization Enforcement</li>  <li>M0804: Human User Authentication</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:58.991000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0836] Modify Parameter</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><p><b>New Mitigations</b>:</p><ul>  <li>M0804: Human User Authentication</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-05 14:15:29.756000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:58.786000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0889] Modify Program</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><p><b>New Mitigations</b>:</p><ul>  <li>M0800: Authorization Enforcement</li>  <li>M0804: Human User Authentication</li></ul><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-20 17:01:10.138000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0881] Service Stop</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_detection</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-24 15:09:07.609000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:58.586000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Enterprise ATT&CK', 'description': 'Enterprise ATT&CK   Service Stop Retrieved. 2019/10/29 ', 'url': 'https://attack.mitre.org/techniques/T1489/'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[T0800] Activate Firmware Update Mode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-24 15:09:07.609000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:59.593000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0830] Adversary-in-the-Middle</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:08.233000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0878] Alarm Suppression</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:13:55.599000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:01.578000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Device Configuration/Parameters</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0802] Automated Collection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:04.179000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0804] Block Reporting Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-09-19 13:57:23.538000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:04.376000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Device Configuration/Parameters</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0805] Block Serial COM</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-20 21:02:54.674000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:00.184000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Device Configuration/Parameters</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0806] Brute Force I/O</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-29 16:17:27.903000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:08.037000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0892] Change Credential</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-07 13:40:53.842000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:14.123000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0858] Change Operating Mode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:01.367000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0807] Command-Line Interface</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:00.378000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0885] Commonly Used Port</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:12.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0884] Connection Proxy</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:11.730000+00:00</td></tr></tbody></table></details><hr><h4>[T0879] Damage to Property</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:14:42.829000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:06.993000+00:00</td></tr></tbody></table></details><hr><h4>[T0809] Data Destruction</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-09-19 14:12:22.878000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:04.784000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0811] Data from Information Repositories</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 19:09:43.744000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:03.187000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0893] Data from Local System</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-05 14:14:48.109000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:13.921000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0812] Default Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:07.653000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0813] Denial of Control</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:15:14.260000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:12.329000+00:00</td></tr></tbody></table></details><hr><h4>[T0814] Denial of Service</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:16:01.922000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:59.992000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0815] Denial of View</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:16:25.031000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:05.576000+00:00</td></tr></tbody></table></details><hr><h4>[T0868] Detect Operating Mode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:01.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0816] Device Restart/Shutdown</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-09-26 16:50:56.401000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:00.768000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0817] Drive-by Compromise</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:06.780000+00:00</td></tr></tbody></table></details><hr><h4>[T0871] Execution through API</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:05.776000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0819] Exploit Public-Facing Application</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:02.990000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0820] Exploitation for Evasion</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:08.425000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0890] Exploitation for Privilege Escalation</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-09-27 16:38:58.028000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:11.342000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0866] Exploitation of Remote Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:07.457000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0822] External Remote Services</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:16:55.602000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:07.840000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0823] Graphical User Interface</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:08.992000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0891] Hardcoded Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:10.962000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0874] Hooking</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-13 13:32:08.619000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:08.803000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0877] I/O Image</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:05.375000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0872] Indicator Removal on Host</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:05.190000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0883] Internet Accessible Device</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:13.719000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0867] Lateral Tool Transfer</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:13.327000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0826] Loss of Availability</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:09.581000+00:00</td></tr></tbody></table></details><hr><h4>[T0827] Loss of Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:08.613000+00:00</td></tr></tbody></table></details><hr><h4>[T0828] Loss of Productivity and Revenue</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:06.362000+00:00</td></tr></tbody></table></details><hr><h4>[T0837] Loss of Protection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:01.994000+00:00</td></tr></tbody></table></details><hr><h4>[T0880] Loss of Safety</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:06.171000+00:00</td></tr></tbody></table></details><hr><h4>[T0829] Loss of View</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:59.396000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0835] Manipulate I/O Image</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-20 20:46:11.459000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:03.589000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0831] Manipulation of Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:59.793000+00:00</td></tr></tbody></table></details><hr><h4>[T0832] Manipulation of View</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:04.993000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0849] Masquerading</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:10.181000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0838] Modify Alarm Settings</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:17:43.803000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:12.528000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Device Configuration/Parameters</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0839] Module Firmware</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:13.531000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0801] Monitor Process State</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:02.197000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0834] Native API</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:09.388000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0840] Network Connection Enumeration</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:13.131000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0842] Network Sniffing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:03.783000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0861] Point & Tag Identification</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:00.575000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0843] Program Download</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:10.374000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0845] Program Upload</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:02.785000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0873] Project File Infection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-05-08 18:58:24.092000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:12.926000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0886] Remote Services</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:12.125000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0846] Remote System Discovery</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:11.536000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0888] Remote System Information Discovery</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-17 15:14:31.276000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:02.595000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0847] Replication Through Removable Media</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:10.581000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0848] Rogue Master</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:18:41.277000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:09.193000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0851] Rootkit</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:03.989000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0852] Screen Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:10.768000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0853] Scripting</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:02.398000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0865] Spearphishing Attachment</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:06.577000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0856] Spoof Reporting Message</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:19:14.351000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:07.260000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0869] Standard Application Layer Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:11.924000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0862] Supply Chain Compromise</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:05.975000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0857] System Firmware</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:09.988000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0882] Theft of Operational Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:09.780000+00:00</td></tr></tbody></table></details><hr><h4>[T0864] Transient Cyber Asset</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:19:41.272000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:03.395000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[1]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.nerc.com/files/glossary_of_terms.pdf</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0855] Unauthorized Command Message</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-05 14:16:02.811000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:04.582000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table></details><hr><h4>[T0863] User Execution</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:00.969000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0859] Valid Accounts</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:11.152000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Data Historian</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Engineering Workstation</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Human-Machine Interface</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Safety Instrumented System/Protection Relay</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0860] Wireless Compromise</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-30 20:20:38.285000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:57:01.165000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Control Server</td><td style='border: 1px solid black;border-collapse: collapse;'>None</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Field Controller/RTU/PLC/IED</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'>Input/Output Server</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[T0887] Wireless Sniffing</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-09 18:38:51.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-13 17:56:59.193000+00:00</td></tr></tbody></table></details></details><h2>Software</h2><h3>enterprise-attack</h3><details><summary>New Software</summary><hr><h4>[S1074] ANDROMEDA</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026) campaign, threat actors re-registered expired [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)</p><hr><h4>[S1087] AsyncRAT</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)</p><hr><h4>[S1081] BADHATCH</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)</p><hr><h4>[S1088] Disco</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Disco](https://attack.mitre.org/software/S1088) is a custom implant that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)</p><hr><h4>[S1075] KOPILUWAK</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)</p><hr><h4>[S1090] NightClub</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)</p><hr><h4>[S1091] Pacu</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)</p><hr><h4>[S1076] QUIETCANARY</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)</p><hr><h4>[S1084] QUIETEXIT</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)</p><hr><h4>[S1078] RotaJakiro</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it's permission level and execute according to access type (`root` or `user`).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)</p><hr><h4>[S1085] Sardonic</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)</p><hr><h4>[S1089] SharpDisco</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)</p><hr><h4>[S1086] Snip3</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)</p><hr><h4>[S0508] ngrok</h4><p><b>Current version</b>: 1.2</p><p><b>Description</b>: [ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)</p></details><details><summary>Major Version Changes</summary><hr><h4>[S0352] OSX_OCEANLOTUS.D</h4><p><b>Current version</b>: 3.0</p><p><b>Version changed from</b>: 2.2 → 3.0</p>
-    <table class="diff" id="difflib_chg_to42__top"
+    <table class="diff" id="difflib_chg_to41__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to42__0"><a href="#difflib_chg_to42__top">t</a></td><td class="diff_header" id="from42_1">1</td><td nowrap="nowrap"><span class="diff_sub">[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352)&nbsp;</span></td><td class="diff_next"><a href="#difflib_chg_to42__top">t</a></td><td class="diff_header" id="to42_1">1</td><td nowrap="nowrap"><span class="diff_add">[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352)&nbsp;</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to41__0"><a href="#difflib_chg_to41__top">t</a></td><td class="diff_header" id="from41_1">1</td><td nowrap="nowrap"><span class="diff_sub">[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352)&nbsp;</span></td><td class="diff_next"><a href="#difflib_chg_to41__top">t</a></td><td class="diff_header" id="to41_1">1</td><td nowrap="nowrap"><span class="diff_add">[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352)&nbsp;</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">is&nbsp;a&nbsp;MacOS&nbsp;backdoor&nbsp;with&nbsp;several&nbsp;variants&nbsp;that&nbsp;has&nbsp;been&nbsp;used</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">is&nbsp;a&nbsp;macOS&nbsp;backdoor&nbsp;used&nbsp;by&nbsp;[APT32](https://attack.mitre.org</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">&nbsp;by&nbsp;[APT32](https://attack.mitre.org/groups/G0050).(Citation</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">/groups/G0050).&nbsp;First&nbsp;discovered&nbsp;in&nbsp;2015,&nbsp;[APT32](https://at</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">:&nbsp;TrendMicro&nbsp;MacOS&nbsp;April&nbsp;2018)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;MacOS&nbsp;B</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">tack.mitre.org/groups/G0050)&nbsp;has&nbsp;continued&nbsp;to&nbsp;make&nbsp;improveme</span></td></tr>
@@ -2329,13 +2329,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">lware&nbsp;May&nbsp;2023)(Citation:&nbsp;Kaspersky&nbsp;Turla)</span></td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['Uroburos', 'Snake']</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_platforms</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['Linux', 'Windows', 'macOS']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2018-10-17 00:14:20.652000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-02 17:26:25.052000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)</td><td style='border: 1px solid black;border-collapse: collapse;'>[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[1]['source_name']</td><td style='border: 1px solid black;border-collapse: collapse;'>Uroburos</td><td style='border: 1px solid black;border-collapse: collapse;'>Snake</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[1]['description']</td><td style='border: 1px solid black;border-collapse: collapse;'>(Citation: Kaspersky Turla)</td><td style='border: 1px solid black;border-collapse: collapse;'>(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023', 'description': 'FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.', 'url': 'https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf'}</td></tr></tbody></table></details></details><details><summary>Minor Version Changes</summary><hr><h4>[S0552] AdFind</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-02 20:44:17.690000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 16:50:06.756000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[S0331] Agent Tesla</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-04-21 02:04:30.060000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-11 20:13:18.738000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[S0099] Arp</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-12-07 18:27:04.603000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-25 19:24:08.305000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S0190] BITSAdmin</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-13 18:56:28.568000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-03 18:31:04.851000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[S0089] BlackEnergy</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-12 17:33:00.482000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-06 14:08:40.134000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[S0521] BloodHound</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-02-16 18:51:10.090000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 18:00:13.178000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[S0154] Cobalt Strike</h4><p><b>Current version</b>: 1.11</p><p><b>Version changed from</b>: 1.10 → 1.11</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-07 13:05:11.028000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 16:47:36.538000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.10</td><td style='border: 1px solid black;border-collapse: collapse;'>1.11</td></tr></tbody></table></details><hr><h4>[S0575] Conti</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-09-29 16:45:13.038000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 18:13:14.416000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details><hr><h4>[S0235] CrossRAT</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-03-30 15:26:42.369000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 21:03:22.526000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S0384] Dridex</h4><p><b>Current version</b>: 2.1</p><p><b>Version changed from</b>: 2.0 → 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-10-01 20:30:30.043000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-03 21:55:20.998000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Jennifer Kim Roman, CrowdStrike</td></tr></tbody></table></details><hr><h4>[S0367] Emotet</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-01-17 22:19:58.856000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 19:44:43.868000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[S0363] Empire</h4><p><b>Current version</b>: 1.7</p><p><b>Version changed from</b>: 1.6 → 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-22 03:43:09.336000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-27 15:44:31.364000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.6</td><td style='border: 1px solid black;border-collapse: collapse;'>1.7</td></tr></tbody></table></details><hr><h4>[S0410] Fysbis</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-11-06 15:24:20.400000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-01 16:58:20.224000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[S0588] GoldMax</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-27 19:46:46.532000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-30 16:31:52.140000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details><hr><h4>[S0434] Imminent Monitor</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-07-10 13:39:26.417000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-03 19:35:03.646000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[S0357] Impacket</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-01-23 20:52:37.112000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-27 15:31:10.648000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[S0607] KillDisk</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:13:42.357000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-06 14:09:52.833000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S0349] LaZagne</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-02 20:48:02.590000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-03 18:35:09.021000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[S0002] Mimikatz</h4><p><b>Current version</b>: 1.8</p><p><b>Version changed from</b>: 1.7 → 1.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-07 13:04:10.731000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-27 15:33:07.594000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.7</td><td style='border: 1px solid black;border-collapse: collapse;'>1.8</td></tr></tbody></table></details><hr><h4>[S0198] NETWIRE</h4><p><b>Current version</b>: 1.6</p><p><b>Version changed from</b>: 1.5 → 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-26 19:24:00.073000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-20 20:04:20.149000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td><td style='border: 1px solid black;border-collapse: collapse;'>1.6</td></tr></tbody></table></details><hr><h4>[S0039] Net</h4><p><b>Current version</b>: 2.5</p><p><b>Version changed from</b>: 2.4 → 2.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-03 16:49:41.059000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-25 19:25:59.767000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.4</td><td style='border: 1px solid black;border-collapse: collapse;'>2.5</td></tr></tbody></table></details><hr><h4>[S0359] Nltest</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-10-07 16:41:18.760000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 18:03:17.167000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S0402] OSX/Shlayer</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-19 16:35:18.493000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-30 16:28:36.699000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[S0097] Ping</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-01-04 21:59:04.229000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-06 15:12:11.358000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[S0029] PsExec</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-02 20:43:41.287000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 18:07:11.859000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details><hr><h4>[S0192] Pupy</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-05-13 22:57:00.921000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 21:08:47.128000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[S0481] Ragnar Locker</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-04-13 23:52:18.803000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-06 15:08:53.375000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S0019] Regin</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-06-29 01:54:53.301000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-01 02:47:21.211000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S0379] Revenge RAT</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-03-30 18:05:10.885000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-02 23:04:26.238000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S1071] Rubeus</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-13 23:27:32.465000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-03 18:30:05.885000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[S0446] Ryuk</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-05-24 21:10:44.381000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 18:11:35.634000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[S0266] TrickBot</h4><p><b>Current version</b>: 2.1</p><p><b>Version changed from</b>: 2.0 → 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-02-23 19:45:50.419000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 16:44:56.511000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td></tr></tbody></table></details><hr><h4>[S0670] WarzoneRAT</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-04-15 14:24:50.745000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-03 19:33:26.976000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details><hr><h4>[S0160] certutil</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-03 00:40:22.280000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-27 15:28:27.482000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[S0404] esentutl</h4><p><b>Current version</b>: 1.3</p><p><b>Version changed from</b>: 1.2 → 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-10-01 17:48:10.492000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 03:45:36.045000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td></tr></tbody></table></details><hr><h4>[S0283] jRAT</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-01-25 15:43:45.842000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-03 19:38:43.114000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details><hr><h4>[S0104] netstat</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-12 21:29:16.407000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-07-25 19:25:05.678000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S0385] njRAT</h4><p><b>Current version</b>: 1.5</p><p><b>Version changed from</b>: 1.4 → 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-09-16 19:33:56.130000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-20 20:03:22.206000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td><td style='border: 1px solid black;border-collapse: collapse;'>1.5</td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[S1068] BlackCat</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-17 21:40:50.124000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-06-15 18:33:45.154000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[3]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat</td></tr></tbody></table></details><hr><h4>[S0274] Calisto</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-03-30 01:58:55.849000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-21 19:42:40.612000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[3]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days</td><td style='border: 1px solid black;border-collapse: collapse;'>https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr></tbody></table></details><hr><h4>[S0030] Carbanak</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-04-01 16:03:31.574000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-17 19:51:14.195000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr></tbody></table></details><hr><h4>[S0600] Doki</h4><p><b>Current version</b>: 1.0</p>
-    <table class="diff" id="difflib_chg_to41__top"
+    <table class="diff" id="difflib_chg_to42__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to41__0"><a href="#difflib_chg_to41__top">t</a></td><td class="diff_header" id="from41_1">1</td><td nowrap="nowrap">[Doki](https://attack.mitre.org/software/S0600)&nbsp;is&nbsp;a&nbsp;backdoo</td><td class="diff_next"><a href="#difflib_chg_to41__top">t</a></td><td class="diff_header" id="to41_1">1</td><td nowrap="nowrap">[Doki](https://attack.mitre.org/software/S0600)&nbsp;is&nbsp;a&nbsp;backdoo</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to42__0"><a href="#difflib_chg_to42__top">t</a></td><td class="diff_header" id="from42_1">1</td><td nowrap="nowrap">[Doki](https://attack.mitre.org/software/S0600)&nbsp;is&nbsp;a&nbsp;backdoo</td><td class="diff_next"><a href="#difflib_chg_to42__top">t</a></td><td class="diff_header" id="to42_1">1</td><td nowrap="nowrap">[Doki](https://attack.mitre.org/software/S0600)&nbsp;is&nbsp;a&nbsp;backdoo</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">r&nbsp;that&nbsp;uses&nbsp;a&nbsp;unique&nbsp;Dogecoin-based&nbsp;Domain&nbsp;Generation&nbsp;Algori</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">r&nbsp;that&nbsp;uses&nbsp;a&nbsp;unique&nbsp;Dogecoin-based&nbsp;Domain&nbsp;Generation&nbsp;Algori</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">thm&nbsp;and&nbsp;was&nbsp;first&nbsp;observed&nbsp;in&nbsp;July&nbsp;2020.&nbsp;[Doki](https://atta</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">thm&nbsp;and&nbsp;was&nbsp;first&nbsp;observed&nbsp;in&nbsp;July&nbsp;2020.&nbsp;[Doki](https://atta</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ck.mitre.org/software/S0600)&nbsp;was&nbsp;used&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;th</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ck.mitre.org/software/S0600)&nbsp;was&nbsp;used&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;th</td></tr>
@@ -2344,13 +2344,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">tforms.&nbsp;(Citation:&nbsp;Intezer&nbsp;Doki&nbsp;July&nbsp;20)</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">tforms.&nbsp;(Citation:&nbsp;Intezer&nbsp;Doki&nbsp;July&nbsp;20)</td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [Ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)</td><td style='border: 1px solid black;border-collapse: collapse;'>[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)</td></tr></tbody></table></details><hr><h4>[S0604] Industroyer</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-20 20:37:50.556000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-17 20:09:38.062000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors[1]</td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Slowik -  Dragos</td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Slowik - Dragos</td></tr></tbody></table></details><hr><h4>[S0372] LockerGoga</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:03:50.370000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-17 20:05:34.648000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Slowik -  Dragos</td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Slowik - Dragos</td></tr></tbody></table></details><hr><h4>[S0196] PUNCHBUGGY</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-02-09 14:07:10.907000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-19 13:31:34.134000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[4]['description']</td><td style='border: 1px solid black;border-collapse: collapse;'>Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.</td><td style='border: 1px solid black;border-collapse: collapse;'>Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr></tbody></table></details><hr><h4>[S0197] PUNCHTRACK</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-03-17 14:48:43.852000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-19 13:31:34.134000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[3]['description']</td><td style='border: 1px solid black;border-collapse: collapse;'>Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.</td><td style='border: 1px solid black;border-collapse: collapse;'>Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr></tbody></table></details><hr><h4>[S0194] PowerSploit</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-22 05:12:48.213000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-17 19:50:17.832000+00:00</td></tr></tbody></table></details></details><details><summary>Revocations</summary><hr><h4>[S9000] Ngrok</h4><p><b>Current version</b>: 1.1</p><font color=blue><p>This object has been revoked by [S0508] ngrok</p></font><p><b>Description for [S0508] ngrok</b>: [ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-13 13:24:56.579000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-25 18:56:12.154000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'>False</td><td style='border: 1px solid black;border-collapse: collapse;'>True</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S0508', 'external_id': 'S0508'}</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S9000', 'external_id': 'S9000'}</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Zdnet Ngrok September 2018', 'description': 'Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020.', 'url': 'https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Cyware Ngrok May 2019', 'description': 'Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020.', 'url': 'https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'MalwareBytes LazyScripter Feb 2021', 'description': 'Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.', 'url': 'https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'FireEye Maze May 2020', 'description': 'Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'}</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details></details><h3>mobile-attack</h3><details><summary>New Software</summary><hr><h4>[S1079] BOULDSPY</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)</p><hr><h4>[S1083] Chameleon</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)</p><hr><h4>[S1092] Escobar</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)</p><hr><h4>[S1080] Fakecalls</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422) </p><hr><h4>[S1093] FlyTrap</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap) </p><hr><h4>[S1077] Hornbill</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)</p><hr><h4>[S1082] Sunbird</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142).  Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)</p></details><h3>ics-attack</h3><details><summary>Minor Version Changes</summary><hr><h4>[S0089] BlackEnergy</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-12 17:33:00.482000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-06 14:08:40.134000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details><hr><h4>[S0607] KillDisk</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:13:42.357000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-06 14:09:52.833000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details><hr><h4>[S0446] Ryuk</h4><p><b>Current version</b>: 1.4</p><p><b>Version changed from</b>: 1.3 → 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-05-24 21:10:44.381000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-09 18:11:35.634000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>1.4</td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[S0604] Industroyer</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-20 20:37:50.556000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-17 20:09:38.062000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors[1]</td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Slowik -  Dragos</td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Slowik - Dragos</td></tr></tbody></table></details><hr><h4>[S0372] LockerGoga</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:03:50.370000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-17 20:05:34.648000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Slowik -  Dragos</td><td style='border: 1px solid black;border-collapse: collapse;'>Joe Slowik - Dragos</td></tr></tbody></table></details></details><h2>Groups</h2><h3>enterprise-attack</h3><details><summary>New Groups</summary><hr><h4>[G0058] Charming Kitten</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)</p><hr><h4>[G1016] FIN13</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)</p><hr><h4>[G1019] MoustachedBouncer</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)</p><hr><h4>[G1015] Scattered Spider</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as  telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)</p><hr><h4>[G1018] TA2541</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)</p><hr><h4>[G1017] Volt Typhoon</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://attack.mitre.org/groups/G1017) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)</p></details><details><summary>Major Version Changes</summary><hr><h4>[G0016] APT29</h4><p><b>Current version</b>: 5.0</p><p><b>Version changed from</b>: 4.0 → 5.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-16 22:25:01.191000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-02 21:33:07.807000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>4.0</td><td style='border: 1px solid black;border-collapse: collapse;'>5.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>UNC3524</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'UNC3524', 'description': '(Citation: Mandiant APT29 Eye Spy Email Nov 22)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant APT29 Eye Spy Email Nov 22', 'description': 'Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.', 'url': 'https://www.mandiant.com/resources/blog/unc3524-eye-spy-email'}</td></tr></tbody></table></details><hr><h4>[G0046] FIN7</h4><p><b>Current version</b>: 3.0</p><p><b>Version changed from</b>: 2.2 → 3.0</p>
-    <table class="diff" id="difflib_chg_to44__top"
+    <table class="diff" id="difflib_chg_to46__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to44__0"><a href="#difflib_chg_to44__top">t</a></td><td class="diff_header" id="from44_1">1</td><td nowrap="nowrap"><span class="diff_sub">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td><td class="diff_next"><a href="#difflib_chg_to44__top">t</a></td><td class="diff_header" id="to44_1">1</td><td nowrap="nowrap"><span class="diff_add">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to46__0"><a href="#difflib_chg_to46__top">t</a></td><td class="diff_header" id="from46_1">1</td><td nowrap="nowrap"><span class="diff_sub">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td><td class="diff_next"><a href="#difflib_chg_to46__top">t</a></td><td class="diff_header" id="to46_1">1</td><td nowrap="nowrap"><span class="diff_add">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013&nbsp;pr</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013.&nbsp;[</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">imarily&nbsp;targeting&nbsp;the&nbsp;U.S.&nbsp;retail,&nbsp;restaurant,&nbsp;and&nbsp;hospitali</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">FIN7](https://attack.mitre.org/groups/G0046)&nbsp;has&nbsp;primarily&nbsp;t</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ty&nbsp;sectors,&nbsp;often&nbsp;using&nbsp;point-of-sale&nbsp;malware.&nbsp;A&nbsp;portion&nbsp;of&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">argeted&nbsp;the&nbsp;retail,&nbsp;restaurant,&nbsp;hospitality,&nbsp;software,&nbsp;consu</span></td></tr>
@@ -2392,13 +2392,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">IN8&nbsp;Jul&nbsp;2023)</span></td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-22 03:52:13.089000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-19 14:08:59.296000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)</td><td style='border: 1px solid black;border-collapse: collapse;'>[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[3]['description']</td><td style='border: 1px solid black;border-collapse: collapse;'>Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.</td><td style='border: 1px solid black;border-collapse: collapse;'>Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.3</td><td style='border: 1px solid black;border-collapse: collapse;'>2.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Syssphinx</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Syssphinx', 'description': '(Citation: Symantec FIN8 Jul 2023)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Bitdefender Sardonic Aug 2021', 'description': 'Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.', 'url': 'https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Symantec FIN8 Jul 2023', 'description': 'Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Serhii Melnyk, Trustwave SpiderLabs</td></tr></tbody></table></details><hr><h4>[G0119] Indrik Spider</h4><p><b>Current version</b>: 3.0</p><p><b>Version changed from</b>: 2.1 → 3.0</p>
-    <table class="diff" id="difflib_chg_to45__top"
+    <table class="diff" id="difflib_chg_to44__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to45__0"><a href="#difflib_chg_to45__top">t</a></td><td class="diff_header" id="from45_1">1</td><td nowrap="nowrap">[Indrik&nbsp;Spider](https://attack.mitre.org/groups/G0119)&nbsp;is&nbsp;a&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to45__top">t</a></td><td class="diff_header" id="to45_1">1</td><td nowrap="nowrap">[Indrik&nbsp;Spider](https://attack.mitre.org/groups/G0119)&nbsp;is&nbsp;a&nbsp;</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to44__0"><a href="#difflib_chg_to44__top">t</a></td><td class="diff_header" id="from44_1">1</td><td nowrap="nowrap">[Indrik&nbsp;Spider](https://attack.mitre.org/groups/G0119)&nbsp;is&nbsp;a&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to44__top">t</a></td><td class="diff_header" id="to44_1">1</td><td nowrap="nowrap">[Indrik&nbsp;Spider](https://attack.mitre.org/groups/G0119)&nbsp;is&nbsp;a&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Russia-based&nbsp;cybercriminal&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Russia-based&nbsp;cybercriminal&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">at&nbsp;least&nbsp;2014.&nbsp;[Indrik&nbsp;Spider](https://attack.mitre.org/grou</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">at&nbsp;least&nbsp;2014.&nbsp;[Indrik&nbsp;Spider](https://attack.mitre.org/grou</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ps/G0119)&nbsp;initially&nbsp;started&nbsp;with&nbsp;the&nbsp;[Dridex](https://attack</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ps/G0119)&nbsp;initially&nbsp;started&nbsp;with&nbsp;the&nbsp;[Dridex](https://attack</td></tr>
@@ -2413,13 +2413,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;2021)(Citation:&nbsp;Treasury&nbsp;EvilCorp&nbsp;Dec&nbsp;2019)</td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['Jennifer Kim Roman, CrowdStrike']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-09-15 19:49:18.799000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-03 21:39:36.666000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)</td><td style='border: 1px solid black;border-collapse: collapse;'>[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td></tr></tbody></table></details><hr><h4>[G0010] Turla</h4><p><b>Current version</b>: 4.0</p><p><b>Version changed from</b>: 3.1 → 4.0</p>
-    <table class="diff" id="difflib_chg_to46__top"
+    <table class="diff" id="difflib_chg_to43__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to46__0"><a href="#difflib_chg_to46__top">t</a></td><td class="diff_header" id="from46_1">1</td><td nowrap="nowrap"><span class="diff_sub">[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;a&nbsp;Russian-</span></td><td class="diff_next"><a href="#difflib_chg_to46__top">t</a></td><td class="diff_header" id="to46_1">1</td><td nowrap="nowrap"><span class="diff_add">[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;a&nbsp;cyber&nbsp;es</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to43__0"><a href="#difflib_chg_to43__top">t</a></td><td class="diff_header" id="from43_1">1</td><td nowrap="nowrap"><span class="diff_sub">[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;a&nbsp;Russian-</span></td><td class="diff_next"><a href="#difflib_chg_to43__top">t</a></td><td class="diff_header" id="to43_1">1</td><td nowrap="nowrap"><span class="diff_add">[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;a&nbsp;cyber&nbsp;es</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">based&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;infected&nbsp;victims&nbsp;in&nbsp;over&nbsp;45&nbsp;coun</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">pionage&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;attributed&nbsp;to&nbsp;Russia's&nbsp;Fe</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">tries,&nbsp;spanning&nbsp;a&nbsp;range&nbsp;of&nbsp;industries&nbsp;including&nbsp;government,&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">deral&nbsp;Security&nbsp;Service&nbsp;(FSB).&nbsp;&nbsp;They&nbsp;have&nbsp;compromised&nbsp;victims</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">embassies,&nbsp;military,&nbsp;education,&nbsp;research&nbsp;and&nbsp;pharmaceutical&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">&nbsp;in&nbsp;over&nbsp;50&nbsp;countries&nbsp;since&nbsp;at&nbsp;least&nbsp;2004,&nbsp;spanning&nbsp;a&nbsp;range&nbsp;</span></td></tr>
@@ -2434,13 +2434,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">BEAR)(Citation:&nbsp;ESET&nbsp;Turla&nbsp;Mosquito&nbsp;Jan&nbsp;2018)</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">rsecurity&nbsp;Advisory&nbsp;AA23-129A&nbsp;Snake&nbsp;Malware&nbsp;May&nbsp;2023)</span></td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-22 05:41:28.428000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-08-02 19:48:08.774000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)</td><td style='border: 1px solid black;border-collapse: collapse;'>[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB).  They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td><td style='border: 1px solid black;border-collapse: collapse;'>4.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023', 'description': 'FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.', 'url': 'https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf'}</td></tr></tbody></table></details><hr><h4>[G0102] Wizard Spider</h4><p><b>Current version</b>: 3.0</p><p><b>Version changed from</b>: 2.1 → 3.0</p>
-    <table class="diff" id="difflib_chg_to43__top"
+    <table class="diff" id="difflib_chg_to45__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to43__0"><a href="#difflib_chg_to43__top">t</a></td><td class="diff_header" id="from43_1">1</td><td nowrap="nowrap">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to43__top">t</a></td><td class="diff_header" id="to43_1">1</td><td nowrap="nowrap">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to45__0"><a href="#difflib_chg_to45__top">t</a></td><td class="diff_header" id="from45_1">1</td><td nowrap="nowrap">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to45__top">t</a></td><td class="diff_header" id="to45_1">1</td><td nowrap="nowrap">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td></tr>
@@ -2453,13 +2453,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">)</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">0)</td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-22 05:44:27.289000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-12 14:35:52.920000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)</td><td style='border: 1px solid black;border-collapse: collapse;'>[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>FIN12</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>GOLD BLACKBURN</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>ITG23</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Periwinkle Tempest</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'ITG23', 'description': '(Citation: IBM X-Force ITG23 Oct 2021)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'FIN12', 'description': '(Citation: Mandiant FIN12 Oct 2021)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'GOLD BLACKBURN', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Periwinkle Tempest', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Secureworks Gold Blackburn Mar 2022', 'description': 'Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-blackburn'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant FIN12 Oct 2021', 'description': 'Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.', 'url': 'https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'IBM X-Force ITG23 Oct 2021', 'description': 'Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.', 'url': 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/'}</td></tr></tbody></table></details></details><details><summary>Minor Version Changes</summary><hr><h4>[G0050] APT32</h4><p><b>Current version</b>: 2.7</p><p><b>Version changed from</b>: 2.6 → 2.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-21 21:04:18.158000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-12 21:15:24.393000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.6</td><td style='border: 1px solid black;border-collapse: collapse;'>2.7</td></tr></tbody></table></details><hr><h4>[G0142] Confucius</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-06-30 20:15:32.697000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-22 20:43:16.504000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>mobile-attack</td></tr></tbody></table></details><hr><h4>[G0035] Dragonfly</h4><p><b>Current version</b>: 3.2</p><p><b>Version changed from</b>: 3.1 → 3.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:03:28.170000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-01 02:45:48.973000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2</td></tr></tbody></table></details><hr><h4>[G1004] LAPSUS$</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-11 00:01:29.232000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-20 17:06:10.335000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Caio Silva</td></tr></tbody></table></details><hr><h4>[G0059] Magic Hound</h4><p><b>Current version</b>: 5.2</p><p><b>Version changed from</b>: 5.1 → 5.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-01-13 21:18:18.077000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-11 20:43:14.739000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>5.1</td><td style='border: 1px solid black;border-collapse: collapse;'>5.2</td></tr></tbody></table></details><hr><h4>[G0034] Sandworm Team</h4><p><b>Current version</b>: 3.1</p><p><b>Version changed from</b>: 3.0 → 3.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:12:31.238000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-06 14:13:06.011000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td></tr></tbody></table></details><hr><h4>[G0083] SilverTerrier</h4><p><b>Current version</b>: 1.2</p><p><b>Version changed from</b>: 1.1 → 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2020-05-19 23:26:11.780000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-27 20:22:05.127000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td><td style='border: 1px solid black;border-collapse: collapse;'>1.2</td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[G0067] APT37</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-10-15 16:54:01.193000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-06-26 18:59:30.461000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[2]['source_name']</td><td style='border: 1px solid black;border-collapse: collapse;'>Richochet Chollima</td><td style='border: 1px solid black;border-collapse: collapse;'>Ricochet Chollima</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[11]['description']</td><td style='border: 1px solid black;border-collapse: collapse;'>CrowdStrike. (2021, September 30). Adversary Profile - Richochet Chollima. Retrieved September 30, 2021.</td><td style='border: 1px solid black;border-collapse: collapse;'>CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[11]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://adversary.crowdstrike.com/en-US/adversary/ricochet-chollima/</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.crowdstrike.com/adversaries/ricochet-chollima/</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Ricochet Chollima</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'>Richochet Chollima</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table></details><hr><h4>[G0130] Ajax Security Team</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-12-17 19:27:27.246000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-09 16:46:55.719000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[6]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf</td><td style='border: 1px solid black;border-collapse: collapse;'>https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf</td></tr></tbody></table></details><hr><h4>[G0012] Darkhotel</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-19 22:07:30.243000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-17 20:21:44.687000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors[0]</td><td style='border: 1px solid black;border-collapse: collapse;'>Harry, CODEMIZE</td><td style='border: 1px solid black;border-collapse: collapse;'>Harry Kim, CODEMIZE</td></tr></tbody></table></details><hr><h4>[G0094] Kimsuky</h4><p><b>Current version</b>: 3.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-11-30 22:53:00.875000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-27 20:08:25.814000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr></tbody></table></details></details><h3>mobile-attack</h3><details><summary>New Groups</summary><hr><h4>[G0142] Confucius</h4><p><b>Current version</b>: 1.1</p><p><b>Description</b>: [Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)</p><hr><h4>[G1019] MoustachedBouncer</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)</p></details><details><summary>Minor Version Changes</summary><hr><h4>[G0034] Sandworm Team</h4><p><b>Current version</b>: 3.1</p><p><b>Version changed from</b>: 3.0 → 3.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:12:31.238000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-06 14:13:06.011000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Major Version Changes</summary><hr><h4>[G0046] FIN7</h4><p><b>Current version</b>: 3.0</p><p><b>Version changed from</b>: 2.2 → 3.0</p>
-    <table class="diff" id="difflib_chg_to55__top"
+    <table class="diff" id="difflib_chg_to54__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to55__0"><a href="#difflib_chg_to55__top">t</a></td><td class="diff_header" id="from55_1">1</td><td nowrap="nowrap"><span class="diff_sub">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td><td class="diff_next"><a href="#difflib_chg_to55__top">t</a></td><td class="diff_header" id="to55_1">1</td><td nowrap="nowrap"><span class="diff_add">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to54__0"><a href="#difflib_chg_to54__top">t</a></td><td class="diff_header" id="from54_1">1</td><td nowrap="nowrap"><span class="diff_sub">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td><td class="diff_next"><a href="#difflib_chg_to54__top">t</a></td><td class="diff_header" id="to54_1">1</td><td nowrap="nowrap"><span class="diff_add">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013&nbsp;pr</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013.&nbsp;[</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">imarily&nbsp;targeting&nbsp;the&nbsp;U.S.&nbsp;retail,&nbsp;restaurant,&nbsp;and&nbsp;hospitali</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">FIN7](https://attack.mitre.org/groups/G0046)&nbsp;has&nbsp;primarily&nbsp;t</span></td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_sub">ty&nbsp;sectors,&nbsp;often&nbsp;using&nbsp;point-of-sale&nbsp;malware.&nbsp;A&nbsp;portion&nbsp;of&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">argeted&nbsp;the&nbsp;retail,&nbsp;restaurant,&nbsp;hospitality,&nbsp;software,&nbsp;consu</span></td></tr>
@@ -2482,13 +2482,13 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_add">er&nbsp;August&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;FIN7&nbsp;Apr&nbsp;2022)</span></td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-22 03:51:04.185000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-04 18:10:49.054000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)</td><td style='border: 1px solid black;border-collapse: collapse;'>[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant FIN7 Apr 2022', 'description': 'Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.', 'url': 'https://www.mandiant.com/resources/evolution-of-fin7'}</td></tr></tbody></table></details><hr><h4>[G0102] Wizard Spider</h4><p><b>Current version</b>: 3.0</p><p><b>Version changed from</b>: 2.1 → 3.0</p>
-    <table class="diff" id="difflib_chg_to54__top"
+    <table class="diff" id="difflib_chg_to55__top"
            cellspacing="0" cellpadding="0" rules="groups" >
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
         <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
         <tbody>
-            <tr><td class="diff_next" id="difflib_chg_to54__0"><a href="#difflib_chg_to54__top">t</a></td><td class="diff_header" id="from54_1">1</td><td nowrap="nowrap">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to54__top">t</a></td><td class="diff_header" id="to54_1">1</td><td nowrap="nowrap">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td></tr>
+            <tr><td class="diff_next" id="difflib_chg_to55__0"><a href="#difflib_chg_to55__top">t</a></td><td class="diff_header" id="from55_1">1</td><td nowrap="nowrap">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to55__top">t</a></td><td class="diff_header" id="to55_1">1</td><td nowrap="nowrap">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td></tr>
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td></tr>
@@ -2501,7 +2501,7 @@ <h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>New Techniques</s
             <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">)</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">0)</td></tr>
         </tbody>
     </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-22 05:44:27.289000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-12 14:35:52.920000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)</td><td style='border: 1px solid black;border-collapse: collapse;'>[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>iterable_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>FIN12</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>GOLD BLACKBURN</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>ITG23</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>aliases</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>Periwinkle Tempest</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'ITG23', 'description': '(Citation: IBM X-Force ITG23 Oct 2021)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'FIN12', 'description': '(Citation: Mandiant FIN12 Oct 2021)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'GOLD BLACKBURN', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Periwinkle Tempest', 'description': '(Citation: Secureworks Gold Blackburn Mar 2022)'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Secureworks Gold Blackburn Mar 2022', 'description': 'Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-blackburn'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'Mandiant FIN12 Oct 2021', 'description': 'Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.', 'url': 'https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf'}</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>{'source_name': 'IBM X-Force ITG23 Oct 2021', 'description': 'Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.', 'url': 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/'}</td></tr></tbody></table></details></details><details><summary>Minor Version Changes</summary><hr><h4>[G0035] Dragonfly</h4><p><b>Current version</b>: 3.2</p><p><b>Version changed from</b>: 3.1 → 3.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:03:28.170000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-01 02:45:48.973000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2</td></tr></tbody></table></details><hr><h4>[G0034] Sandworm Team</h4><p><b>Current version</b>: 3.1</p><p><b>Version changed from</b>: 3.0 → 3.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-08 22:12:31.238000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-06 14:13:06.011000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1</td></tr></tbody></table></details></details><h2>Campaigns</h2><h3>enterprise-attack</h3><details><summary>New Campaigns</summary><hr><h4>[C0028] 2015 Ukraine Electric Power Attack</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.</p><hr><h4>[C0026] C0026</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [C0026](https://attack.mitre.org/campaigns/C0026) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://attack.mitre.org/software/S1075) and [QUIETCANARY](https://attack.mitre.org/software/S1076) malware to previous [ANDROMEDA](https://attack.mitre.org/software/S1074) malware victims in Ukraine through re-registered [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains. Several tools and tactics used during [C0026](https://attack.mitre.org/campaigns/C0026) were consistent with historic [Turla](https://attack.mitre.org/groups/G0010) operations.(Citation: Mandiant Suspected Turla Campaign February 2023)</p><hr><h4>[C0027] C0027</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [C0027](https://attack.mitre.org/campaigns/C0027) was a financially-motivated campaign linked to [Scattered Spider](https://attack.mitre.org/groups/G1015) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://attack.mitre.org/campaigns/C0027) [Scattered Spider](https://attack.mitre.org/groups/G1015) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.(Citation: Crowdstrike TELCO BPO Campaign December 2022)
-</p></details><details><summary>Minor Version Changes</summary><hr><h4>[C0022] Operation Dream Job</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-10 19:18:19.033000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-27 20:12:54.984000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>New Campaigns</summary><hr><h4>[C0028] 2015 Ukraine Electric Power Attack</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.</p></details><h2>Assets</h2><h3>ics-attack</h3><details><summary>New Assets</summary><hr><h4>[A0008] Application Server</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers.  The application server typically runs on a modern server operating system (e.g., MS Windows Server).</p><hr><h4>[A0007] Control Server</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.</p><hr><h4>[A0009] Data Gateway</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:
+</p></details><details><summary>Minor Version Changes</summary><hr><h4>[C0022] Operation Dream Job</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-04-10 19:18:19.033000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-27 20:12:54.984000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>New Campaigns</summary><hr><h4>[C0028] 2015 Ukraine Electric Power Attack</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.</p></details><details><summary>Deprecations</summary><hr><h4>[C0009] Oldsmar Treatment Plant Intrusion</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2022-10-21 15:56:01.070000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-20 22:40:13.147000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.0.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'>False</td><td style='border: 1px solid black;border-collapse: collapse;'>True</td></tr></tbody></table></details></details><h2>Assets</h2><h3>ics-attack</h3><details><summary>New Assets</summary><hr><h4>[A0008] Application Server</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers.  The application server typically runs on a modern server operating system (e.g., MS Windows Server).</p><hr><h4>[A0007] Control Server</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.</p><hr><h4>[A0009] Data Gateway</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:
 
  *  <u>Protocol Translation:</u> Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. 
  *  <u>Media Converter:</u> Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. 
diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/changelog.json b/modules/resources/docs/changelogs/v13.1-v14.0/changelog.json
index 1205897a377..99051ac5d70 100644
--- a/modules/resources/docs/changelogs/v13.1-v14.0/changelog.json
+++ b/modules/resources/docs/changelogs/v13.1-v14.0/changelog.json
@@ -1368,7 +1368,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 09:08:22.319000+00:00\", \"old_value\": \"2023-03-30 21:01:52.183000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\\n\\nThe following run keys are created by default on Windows systems:\\n\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce</code>\\n\\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: <code>reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n\\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\\\\Users\\\\\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup</code>. The startup folder path for all users is <code>C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp</code>.\\n\\nThe following Registry keys can be used to set startup folder items for persistence:\\n\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders</code>\\n\\nThe following Registry keys can control automatic startup of services during boot:\\n\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices</code>\\n\\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\\n\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run</code>\\n\\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows</code> run automatically for the currently logged-on user.\\n\\nBy default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\\n\\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.\", \"old_value\": \"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\\n\\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\\\\Users\\\\\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup</code>. The startup folder path for all users is <code>C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp</code>.\\n\\nThe following run keys are created by default on Windows systems:\\n\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce</code>\\n\\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: <code>reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n\\nThe following Registry keys can be used to set startup folder items for persistence:\\n\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders</code>\\n\\nThe following Registry keys can control automatic startup of services during boot:\\n\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce</code>\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices</code>\\n\\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\\n\\n* <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run</code>\\n\\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell</code> subkeys can automatically launch programs.\\n\\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows</code> run when any user logs on.\\n\\nBy default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\\n\\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,4 @@\\n Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \\\"run keys\\\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\\n-\\n-Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\\\\Users\\\\\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup</code>. The startup folder path for all users is <code>C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp</code>.\\n \\n The following run keys are created by default on Windows systems:\\n \\n@@ -10,6 +8,8 @@\\n * <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce</code>\\n \\n Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \\\"Depend\\\" key with RunOnceEx: <code>reg add HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend /v 1 /d \\\"C:\\\\temp\\\\evil[.]dll\\\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\\n+\\n+Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\\\\Users\\\\\\\\[Username]\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup</code>. The startup folder path for all users is <code>C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp</code>.\\n \\n The following Registry keys can be used to set startup folder items for persistence:\\n \\n@@ -30,9 +30,7 @@\\n * <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run</code>\\n * <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run</code>\\n \\n-The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell</code> subkeys can automatically launch programs.\\n-\\n-Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows</code> run when any user logs on.\\n+Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows</code> run automatically for the currently logged-on user.\\n \\n By default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][2]\": \"Harun K\\u00fc\\u00dfner\"}}",
                     "previous_version": "1.2",
                     "version_change": "1.2 \u2192 2.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to6__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to6__0\"><a href=\"#difflib_chg_to6__top\">t</a></td><td class=\"diff_header\" id=\"from6_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;achieve&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;program&nbsp;to&nbsp;a</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to6__top\">t</a></td><td class=\"diff_header\" id=\"to6_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;achieve&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;program&nbsp;to&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;startup&nbsp;folder&nbsp;or&nbsp;referencing&nbsp;it&nbsp;with&nbsp;a&nbsp;Registry&nbsp;run&nbsp;key.&nbsp;A</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;startup&nbsp;folder&nbsp;or&nbsp;referencing&nbsp;it&nbsp;with&nbsp;a&nbsp;Registry&nbsp;run&nbsp;key.&nbsp;A</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dding&nbsp;an&nbsp;entry&nbsp;to&nbsp;the&nbsp;\"run&nbsp;keys\"&nbsp;in&nbsp;the&nbsp;Registry&nbsp;or&nbsp;startup&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dding&nbsp;an&nbsp;entry&nbsp;to&nbsp;the&nbsp;\"run&nbsp;keys\"&nbsp;in&nbsp;the&nbsp;Registry&nbsp;or&nbsp;startup&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">folder&nbsp;will&nbsp;cause&nbsp;the&nbsp;program&nbsp;referenced&nbsp;to&nbsp;be&nbsp;executed&nbsp;when</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">folder&nbsp;will&nbsp;cause&nbsp;the&nbsp;program&nbsp;referenced&nbsp;to&nbsp;be&nbsp;executed&nbsp;when</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;user&nbsp;logs&nbsp;in.(Citation:&nbsp;Microsoft&nbsp;Run&nbsp;Key)&nbsp;These&nbsp;programs</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;a&nbsp;user&nbsp;logs&nbsp;in.(Citation:&nbsp;Microsoft&nbsp;Run&nbsp;Key)&nbsp;These&nbsp;programs</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;will&nbsp;be&nbsp;executed&nbsp;under&nbsp;the&nbsp;context&nbsp;of&nbsp;the&nbsp;user&nbsp;and&nbsp;will&nbsp;hav</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;will&nbsp;be&nbsp;executed&nbsp;under&nbsp;the&nbsp;context&nbsp;of&nbsp;the&nbsp;user&nbsp;and&nbsp;will&nbsp;hav</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;the&nbsp;account's&nbsp;associated&nbsp;permissions&nbsp;level.&nbsp;&nbsp;Placing&nbsp;a&nbsp;pro</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;the&nbsp;account's&nbsp;associated&nbsp;permissions&nbsp;level.&nbsp;&nbsp;The&nbsp;following</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">gram&nbsp;within&nbsp;a&nbsp;startup&nbsp;folder&nbsp;will&nbsp;also&nbsp;cause&nbsp;that&nbsp;program&nbsp;to</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;run&nbsp;keys&nbsp;are&nbsp;created&nbsp;by&nbsp;default&nbsp;on&nbsp;Windows&nbsp;systems:&nbsp;&nbsp;*&nbsp;&lt;cod</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;execute&nbsp;when&nbsp;a&nbsp;user&nbsp;logs&nbsp;in.&nbsp;There&nbsp;is&nbsp;a&nbsp;startup&nbsp;folder&nbsp;loca</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tion&nbsp;for&nbsp;individual&nbsp;user&nbsp;accounts&nbsp;as&nbsp;well&nbsp;as&nbsp;a&nbsp;system-wide&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">n\\Run&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Wi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tartup&nbsp;folder&nbsp;that&nbsp;will&nbsp;be&nbsp;checked&nbsp;regardless&nbsp;of&nbsp;which&nbsp;user&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ndows\\CurrentVersion\\RunOnce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHI</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">account&nbsp;logs&nbsp;in.&nbsp;The&nbsp;startup&nbsp;folder&nbsp;path&nbsp;for&nbsp;the&nbsp;current&nbsp;use</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">NE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run&lt;/code&gt;&nbsp;*&nbsp;&lt;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">r&nbsp;is&nbsp;&lt;code&gt;C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Wi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ode&gt;HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVer</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ndows\\Start&nbsp;Menu\\Programs\\Startup&lt;/code&gt;.&nbsp;The&nbsp;startup&nbsp;folder</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">sion\\RunOnce&lt;/code&gt;&nbsp;&nbsp;Run&nbsp;keys&nbsp;may&nbsp;exist&nbsp;under&nbsp;multiple&nbsp;hives</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;path&nbsp;for&nbsp;all&nbsp;users&nbsp;is&nbsp;&lt;code&gt;C:\\ProgramData\\Microsoft\\Window</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">.(Citation:&nbsp;Microsoft&nbsp;Wow6432Node&nbsp;2018)(Citation:&nbsp;Malwarebyt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s\\Start&nbsp;Menu\\Programs\\StartUp&lt;/code&gt;.&nbsp;&nbsp;The&nbsp;following&nbsp;run&nbsp;key</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">es&nbsp;Wow6432Node&nbsp;2016)&nbsp;The&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Software\\M</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;are&nbsp;created&nbsp;by&nbsp;default&nbsp;on&nbsp;Windows&nbsp;systems:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_C</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">icrosoft\\Windows\\CurrentVersion\\RunOnceEx&lt;/code&gt;&nbsp;is&nbsp;also&nbsp;ava</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">URRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run&lt;/c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ilable&nbsp;but&nbsp;is&nbsp;not&nbsp;created&nbsp;by&nbsp;default&nbsp;on&nbsp;Windows&nbsp;Vista&nbsp;and&nbsp;ne</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ode&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Cu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">wer.&nbsp;Registry&nbsp;run&nbsp;key&nbsp;entries&nbsp;can&nbsp;reference&nbsp;programs&nbsp;directl</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rrentVersion\\RunOnce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Softw</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;or&nbsp;list&nbsp;them&nbsp;as&nbsp;a&nbsp;dependency.(Citation:&nbsp;Microsoft&nbsp;Run&nbsp;Key)</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">are\\Microsoft\\Windows\\CurrentVersion\\Run&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;For&nbsp;example,&nbsp;it&nbsp;is&nbsp;possible&nbsp;to&nbsp;load&nbsp;a&nbsp;DLL&nbsp;at&nbsp;logon&nbsp;using&nbsp;a&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">\"Depend\"&nbsp;key&nbsp;with&nbsp;RunOnceEx:&nbsp;&lt;code&gt;reg&nbsp;add&nbsp;HKLM\\SOFTWARE\\Mic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Once&lt;/code&gt;&nbsp;&nbsp;Run&nbsp;keys&nbsp;may&nbsp;exist&nbsp;under&nbsp;multiple&nbsp;hives.(Citati</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rosoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend&nbsp;/v&nbsp;1&nbsp;/d&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on:&nbsp;Microsoft&nbsp;Wow6432Node&nbsp;2018)(Citation:&nbsp;Malwarebytes&nbsp;Wow64</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">\"C:\\temp\\evil[.]dll\"&lt;/code&gt;&nbsp;(Citation:&nbsp;Oddvar&nbsp;Moe&nbsp;RunOnceEx&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">32Node&nbsp;2016)&nbsp;The&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Software\\Microsoft</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Mar&nbsp;2018)&nbsp;&nbsp;Placing&nbsp;a&nbsp;program&nbsp;within&nbsp;a&nbsp;startup&nbsp;folder&nbsp;will&nbsp;al</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">\\Windows\\CurrentVersion\\RunOnceEx&lt;/code&gt;&nbsp;is&nbsp;also&nbsp;available&nbsp;b</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">so&nbsp;cause&nbsp;that&nbsp;program&nbsp;to&nbsp;execute&nbsp;when&nbsp;a&nbsp;user&nbsp;logs&nbsp;in.&nbsp;There&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ut&nbsp;is&nbsp;not&nbsp;created&nbsp;by&nbsp;default&nbsp;on&nbsp;Windows&nbsp;Vista&nbsp;and&nbsp;newer.&nbsp;Reg</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">is&nbsp;a&nbsp;startup&nbsp;folder&nbsp;location&nbsp;for&nbsp;individual&nbsp;user&nbsp;accounts&nbsp;as</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">istry&nbsp;run&nbsp;key&nbsp;entries&nbsp;can&nbsp;reference&nbsp;programs&nbsp;directly&nbsp;or&nbsp;lis</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;well&nbsp;as&nbsp;a&nbsp;system-wide&nbsp;startup&nbsp;folder&nbsp;that&nbsp;will&nbsp;be&nbsp;checked&nbsp;r</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">t&nbsp;them&nbsp;as&nbsp;a&nbsp;dependency.(Citation:&nbsp;Microsoft&nbsp;Run&nbsp;Key)&nbsp;For&nbsp;exa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">egardless&nbsp;of&nbsp;which&nbsp;user&nbsp;account&nbsp;logs&nbsp;in.&nbsp;The&nbsp;startup&nbsp;folder&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">mple,&nbsp;it&nbsp;is&nbsp;possible&nbsp;to&nbsp;load&nbsp;a&nbsp;DLL&nbsp;at&nbsp;logon&nbsp;using&nbsp;a&nbsp;\"Depend\"</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">path&nbsp;for&nbsp;the&nbsp;current&nbsp;user&nbsp;is&nbsp;&lt;code&gt;C:\\Users\\\\[Username]\\AppD</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;key&nbsp;with&nbsp;RunOnceEx:&nbsp;&lt;code&gt;reg&nbsp;add&nbsp;HKLM\\SOFTWARE\\Microsoft\\W</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ata\\Roaming\\Microsoft\\Windows\\Start&nbsp;Menu\\Programs\\Startup&lt;/c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">indows\\CurrentVersion\\RunOnceEx\\0001\\Depend&nbsp;/v&nbsp;1&nbsp;/d&nbsp;\"C:\\temp</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ode&gt;.&nbsp;The&nbsp;startup&nbsp;folder&nbsp;path&nbsp;for&nbsp;all&nbsp;users&nbsp;is&nbsp;&lt;code&gt;C:\\Prog</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">\\evil[.]dll\"&lt;/code&gt;&nbsp;(Citation:&nbsp;Oddvar&nbsp;Moe&nbsp;RunOnceEx&nbsp;Mar&nbsp;2018</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ramData\\Microsoft\\Windows\\Start&nbsp;Menu\\Programs\\StartUp&lt;/code&gt;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">)&nbsp;&nbsp;The&nbsp;following&nbsp;Registry&nbsp;keys&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;set&nbsp;startup&nbsp;fo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">.&nbsp;&nbsp;The&nbsp;following&nbsp;Registry&nbsp;keys&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;set&nbsp;startup&nbsp;fo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lder&nbsp;items&nbsp;for&nbsp;persistence:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Softw</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lder&nbsp;items&nbsp;for&nbsp;persistence:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Softw</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">are\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User&nbsp;Shell&nbsp;Fol</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">are\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User&nbsp;Shell&nbsp;Fol</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Win</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Win</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dows\\CurrentVersion\\Explorer\\Shell&nbsp;Folders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HK</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dows\\CurrentVersion\\Explorer\\Shell&nbsp;Folders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HK</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">EY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\E</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">EY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\E</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">xplorer\\Shell&nbsp;Folders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\SOFT</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xplorer\\Shell&nbsp;Folders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\SOFT</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">WARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User&nbsp;Shell&nbsp;Fo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">WARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User&nbsp;Shell&nbsp;Fo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lders&lt;/code&gt;&nbsp;&nbsp;The&nbsp;following&nbsp;Registry&nbsp;keys&nbsp;can&nbsp;control&nbsp;automa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lders&lt;/code&gt;&nbsp;&nbsp;The&nbsp;following&nbsp;Registry&nbsp;keys&nbsp;can&nbsp;control&nbsp;automa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tic&nbsp;startup&nbsp;of&nbsp;services&nbsp;during&nbsp;boot:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MAC</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tic&nbsp;startup&nbsp;of&nbsp;services&nbsp;during&nbsp;boot:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MAC</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">HINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOn</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">HINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOn</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ws\\CurrentVersion\\RunServicesOnce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ws\\CurrentVersion\\RunServicesOnce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunService</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunService</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Window</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Window</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s\\CurrentVersion\\RunServices&lt;/code&gt;&nbsp;&nbsp;Using&nbsp;policy&nbsp;settings&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s\\CurrentVersion\\RunServices&lt;/code&gt;&nbsp;&nbsp;Using&nbsp;policy&nbsp;settings&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;specify&nbsp;startup&nbsp;programs&nbsp;creates&nbsp;corresponding&nbsp;values&nbsp;in&nbsp;e</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;specify&nbsp;startup&nbsp;programs&nbsp;creates&nbsp;corresponding&nbsp;values&nbsp;in&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ither&nbsp;of&nbsp;two&nbsp;Registry&nbsp;keys:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Soft</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ither&nbsp;of&nbsp;two&nbsp;Registry&nbsp;keys:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Soft</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run&lt;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run&lt;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">CurrentVersion\\Policies\\Explorer\\Run&lt;/code&gt;&nbsp;&nbsp;The&nbsp;Winlogon&nbsp;ke</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">CurrentVersion\\Policies\\Explorer\\Run&lt;/code&gt;&nbsp;&nbsp;Programs&nbsp;listed</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;controls&nbsp;actions&nbsp;that&nbsp;occur&nbsp;when&nbsp;a&nbsp;user&nbsp;logs&nbsp;on&nbsp;to&nbsp;a&nbsp;compu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;in&nbsp;the&nbsp;load&nbsp;value&nbsp;of&nbsp;the&nbsp;registry&nbsp;key&nbsp;&lt;code&gt;HKEY_CURRENT_US</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ter&nbsp;running&nbsp;Windows&nbsp;7.&nbsp;Most&nbsp;of&nbsp;these&nbsp;actions&nbsp;are&nbsp;under&nbsp;the&nbsp;c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ER\\Software\\Microsoft\\Windows&nbsp;NT\\CurrentVersion\\Windows&lt;/cod</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ontrol&nbsp;of&nbsp;the&nbsp;operating&nbsp;system,&nbsp;but&nbsp;you&nbsp;can&nbsp;also&nbsp;add&nbsp;custom&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&gt;&nbsp;run&nbsp;automatically&nbsp;for&nbsp;the&nbsp;currently&nbsp;logged-on&nbsp;user.&nbsp;&nbsp;By&nbsp;d</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">actions&nbsp;here.&nbsp;The&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Software\\Microsof</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">efault,&nbsp;the&nbsp;multistring&nbsp;&lt;code&gt;BootExecute&lt;/code&gt;&nbsp;value&nbsp;of&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">t\\Windows&nbsp;NT\\CurrentVersion\\Winlogon\\Userinit&lt;/code&gt;&nbsp;and&nbsp;&lt;co</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;registry&nbsp;key&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\System\\CurrentContro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">de&gt;HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows&nbsp;NT\\CurrentV</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lSet\\Control\\Session&nbsp;Manager&lt;/code&gt;&nbsp;is&nbsp;set&nbsp;to&nbsp;&lt;code&gt;autochec</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ersion\\Winlogon\\Shell&lt;/code&gt;&nbsp;subkeys&nbsp;can&nbsp;automatically&nbsp;launc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">k&nbsp;autochk&nbsp;*&lt;/code&gt;.&nbsp;This&nbsp;value&nbsp;causes&nbsp;Windows,&nbsp;at&nbsp;startup,&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">h&nbsp;programs.&nbsp;&nbsp;Programs&nbsp;listed&nbsp;in&nbsp;the&nbsp;load&nbsp;value&nbsp;of&nbsp;the&nbsp;regist</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;check&nbsp;the&nbsp;file-system&nbsp;integrity&nbsp;of&nbsp;the&nbsp;hard&nbsp;disks&nbsp;if&nbsp;the&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&nbsp;key&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows&nbsp;NT</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ystem&nbsp;has&nbsp;been&nbsp;shut&nbsp;down&nbsp;abnormally.&nbsp;Adversaries&nbsp;can&nbsp;add&nbsp;oth</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">\\CurrentVersion\\Windows&lt;/code&gt;&nbsp;run&nbsp;when&nbsp;any&nbsp;user&nbsp;logs&nbsp;on.&nbsp;&nbsp;B</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">er&nbsp;programs&nbsp;or&nbsp;processes&nbsp;to&nbsp;this&nbsp;registry&nbsp;value&nbsp;which&nbsp;will&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;default,&nbsp;the&nbsp;multistring&nbsp;&lt;code&gt;BootExecute&lt;/code&gt;&nbsp;value&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">utomatically&nbsp;launch&nbsp;at&nbsp;boot.&nbsp;&nbsp;Adversaries&nbsp;can&nbsp;use&nbsp;these&nbsp;conf</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;the&nbsp;registry&nbsp;key&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\System\\CurrentCon</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">iguration&nbsp;locations&nbsp;to&nbsp;execute&nbsp;malware,&nbsp;such&nbsp;as&nbsp;remote&nbsp;acces</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">trolSet\\Control\\Session&nbsp;Manager&lt;/code&gt;&nbsp;is&nbsp;set&nbsp;to&nbsp;&lt;code&gt;autoc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;tools,&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;through&nbsp;system&nbsp;reboots.&nbsp;Adv</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">heck&nbsp;autochk&nbsp;*&lt;/code&gt;.&nbsp;This&nbsp;value&nbsp;causes&nbsp;Windows,&nbsp;at&nbsp;startup</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ersaries&nbsp;may&nbsp;also&nbsp;use&nbsp;[Masquerading](https://attack.mitre.or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;to&nbsp;check&nbsp;the&nbsp;file-system&nbsp;integrity&nbsp;of&nbsp;the&nbsp;hard&nbsp;disks&nbsp;if&nbsp;th</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g/techniques/T1036)&nbsp;to&nbsp;make&nbsp;the&nbsp;Registry&nbsp;entries&nbsp;look&nbsp;as&nbsp;if&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;system&nbsp;has&nbsp;been&nbsp;shut&nbsp;down&nbsp;abnormally.&nbsp;Adversaries&nbsp;can&nbsp;add&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">they&nbsp;are&nbsp;associated&nbsp;with&nbsp;legitimate&nbsp;programs.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">other&nbsp;programs&nbsp;or&nbsp;processes&nbsp;to&nbsp;this&nbsp;registry&nbsp;value&nbsp;which&nbsp;wil</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">l&nbsp;automatically&nbsp;launch&nbsp;at&nbsp;boot.&nbsp;&nbsp;Adversaries&nbsp;can&nbsp;use&nbsp;these&nbsp;c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">onfiguration&nbsp;locations&nbsp;to&nbsp;execute&nbsp;malware,&nbsp;such&nbsp;as&nbsp;remote&nbsp;ac</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cess&nbsp;tools,&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;through&nbsp;system&nbsp;reboots.&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;[Masquerading](https://attack.mitre</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.org/techniques/T1036)&nbsp;to&nbsp;make&nbsp;the&nbsp;Registry&nbsp;entries&nbsp;look&nbsp;as&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">if&nbsp;they&nbsp;are&nbsp;associated&nbsp;with&nbsp;legitimate&nbsp;programs.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to30__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to30__0\"><a href=\"#difflib_chg_to30__top\">t</a></td><td class=\"diff_header\" id=\"from30_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;achieve&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;program&nbsp;to&nbsp;a</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to30__top\">t</a></td><td class=\"diff_header\" id=\"to30_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;achieve&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;program&nbsp;to&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;startup&nbsp;folder&nbsp;or&nbsp;referencing&nbsp;it&nbsp;with&nbsp;a&nbsp;Registry&nbsp;run&nbsp;key.&nbsp;A</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;startup&nbsp;folder&nbsp;or&nbsp;referencing&nbsp;it&nbsp;with&nbsp;a&nbsp;Registry&nbsp;run&nbsp;key.&nbsp;A</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dding&nbsp;an&nbsp;entry&nbsp;to&nbsp;the&nbsp;\"run&nbsp;keys\"&nbsp;in&nbsp;the&nbsp;Registry&nbsp;or&nbsp;startup&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dding&nbsp;an&nbsp;entry&nbsp;to&nbsp;the&nbsp;\"run&nbsp;keys\"&nbsp;in&nbsp;the&nbsp;Registry&nbsp;or&nbsp;startup&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">folder&nbsp;will&nbsp;cause&nbsp;the&nbsp;program&nbsp;referenced&nbsp;to&nbsp;be&nbsp;executed&nbsp;when</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">folder&nbsp;will&nbsp;cause&nbsp;the&nbsp;program&nbsp;referenced&nbsp;to&nbsp;be&nbsp;executed&nbsp;when</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;user&nbsp;logs&nbsp;in.(Citation:&nbsp;Microsoft&nbsp;Run&nbsp;Key)&nbsp;These&nbsp;programs</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;a&nbsp;user&nbsp;logs&nbsp;in.(Citation:&nbsp;Microsoft&nbsp;Run&nbsp;Key)&nbsp;These&nbsp;programs</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;will&nbsp;be&nbsp;executed&nbsp;under&nbsp;the&nbsp;context&nbsp;of&nbsp;the&nbsp;user&nbsp;and&nbsp;will&nbsp;hav</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;will&nbsp;be&nbsp;executed&nbsp;under&nbsp;the&nbsp;context&nbsp;of&nbsp;the&nbsp;user&nbsp;and&nbsp;will&nbsp;hav</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;the&nbsp;account's&nbsp;associated&nbsp;permissions&nbsp;level.&nbsp;&nbsp;Placing&nbsp;a&nbsp;pro</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;the&nbsp;account's&nbsp;associated&nbsp;permissions&nbsp;level.&nbsp;&nbsp;The&nbsp;following</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">gram&nbsp;within&nbsp;a&nbsp;startup&nbsp;folder&nbsp;will&nbsp;also&nbsp;cause&nbsp;that&nbsp;program&nbsp;to</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;run&nbsp;keys&nbsp;are&nbsp;created&nbsp;by&nbsp;default&nbsp;on&nbsp;Windows&nbsp;systems:&nbsp;&nbsp;*&nbsp;&lt;cod</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;execute&nbsp;when&nbsp;a&nbsp;user&nbsp;logs&nbsp;in.&nbsp;There&nbsp;is&nbsp;a&nbsp;startup&nbsp;folder&nbsp;loca</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tion&nbsp;for&nbsp;individual&nbsp;user&nbsp;accounts&nbsp;as&nbsp;well&nbsp;as&nbsp;a&nbsp;system-wide&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">n\\Run&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Wi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tartup&nbsp;folder&nbsp;that&nbsp;will&nbsp;be&nbsp;checked&nbsp;regardless&nbsp;of&nbsp;which&nbsp;user&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ndows\\CurrentVersion\\RunOnce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHI</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">account&nbsp;logs&nbsp;in.&nbsp;The&nbsp;startup&nbsp;folder&nbsp;path&nbsp;for&nbsp;the&nbsp;current&nbsp;use</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">NE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run&lt;/code&gt;&nbsp;*&nbsp;&lt;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">r&nbsp;is&nbsp;&lt;code&gt;C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Wi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ode&gt;HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVer</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ndows\\Start&nbsp;Menu\\Programs\\Startup&lt;/code&gt;.&nbsp;The&nbsp;startup&nbsp;folder</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">sion\\RunOnce&lt;/code&gt;&nbsp;&nbsp;Run&nbsp;keys&nbsp;may&nbsp;exist&nbsp;under&nbsp;multiple&nbsp;hives</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;path&nbsp;for&nbsp;all&nbsp;users&nbsp;is&nbsp;&lt;code&gt;C:\\ProgramData\\Microsoft\\Window</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">.(Citation:&nbsp;Microsoft&nbsp;Wow6432Node&nbsp;2018)(Citation:&nbsp;Malwarebyt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s\\Start&nbsp;Menu\\Programs\\StartUp&lt;/code&gt;.&nbsp;&nbsp;The&nbsp;following&nbsp;run&nbsp;key</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">es&nbsp;Wow6432Node&nbsp;2016)&nbsp;The&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Software\\M</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;are&nbsp;created&nbsp;by&nbsp;default&nbsp;on&nbsp;Windows&nbsp;systems:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_C</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">icrosoft\\Windows\\CurrentVersion\\RunOnceEx&lt;/code&gt;&nbsp;is&nbsp;also&nbsp;ava</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">URRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run&lt;/c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ilable&nbsp;but&nbsp;is&nbsp;not&nbsp;created&nbsp;by&nbsp;default&nbsp;on&nbsp;Windows&nbsp;Vista&nbsp;and&nbsp;ne</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ode&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Cu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">wer.&nbsp;Registry&nbsp;run&nbsp;key&nbsp;entries&nbsp;can&nbsp;reference&nbsp;programs&nbsp;directl</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rrentVersion\\RunOnce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Softw</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;or&nbsp;list&nbsp;them&nbsp;as&nbsp;a&nbsp;dependency.(Citation:&nbsp;Microsoft&nbsp;Run&nbsp;Key)</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">are\\Microsoft\\Windows\\CurrentVersion\\Run&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;For&nbsp;example,&nbsp;it&nbsp;is&nbsp;possible&nbsp;to&nbsp;load&nbsp;a&nbsp;DLL&nbsp;at&nbsp;logon&nbsp;using&nbsp;a&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">\"Depend\"&nbsp;key&nbsp;with&nbsp;RunOnceEx:&nbsp;&lt;code&gt;reg&nbsp;add&nbsp;HKLM\\SOFTWARE\\Mic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Once&lt;/code&gt;&nbsp;&nbsp;Run&nbsp;keys&nbsp;may&nbsp;exist&nbsp;under&nbsp;multiple&nbsp;hives.(Citati</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rosoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend&nbsp;/v&nbsp;1&nbsp;/d&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on:&nbsp;Microsoft&nbsp;Wow6432Node&nbsp;2018)(Citation:&nbsp;Malwarebytes&nbsp;Wow64</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">\"C:\\temp\\evil[.]dll\"&lt;/code&gt;&nbsp;(Citation:&nbsp;Oddvar&nbsp;Moe&nbsp;RunOnceEx&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">32Node&nbsp;2016)&nbsp;The&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Software\\Microsoft</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Mar&nbsp;2018)&nbsp;&nbsp;Placing&nbsp;a&nbsp;program&nbsp;within&nbsp;a&nbsp;startup&nbsp;folder&nbsp;will&nbsp;al</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">\\Windows\\CurrentVersion\\RunOnceEx&lt;/code&gt;&nbsp;is&nbsp;also&nbsp;available&nbsp;b</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">so&nbsp;cause&nbsp;that&nbsp;program&nbsp;to&nbsp;execute&nbsp;when&nbsp;a&nbsp;user&nbsp;logs&nbsp;in.&nbsp;There&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ut&nbsp;is&nbsp;not&nbsp;created&nbsp;by&nbsp;default&nbsp;on&nbsp;Windows&nbsp;Vista&nbsp;and&nbsp;newer.&nbsp;Reg</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">is&nbsp;a&nbsp;startup&nbsp;folder&nbsp;location&nbsp;for&nbsp;individual&nbsp;user&nbsp;accounts&nbsp;as</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">istry&nbsp;run&nbsp;key&nbsp;entries&nbsp;can&nbsp;reference&nbsp;programs&nbsp;directly&nbsp;or&nbsp;lis</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;well&nbsp;as&nbsp;a&nbsp;system-wide&nbsp;startup&nbsp;folder&nbsp;that&nbsp;will&nbsp;be&nbsp;checked&nbsp;r</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">t&nbsp;them&nbsp;as&nbsp;a&nbsp;dependency.(Citation:&nbsp;Microsoft&nbsp;Run&nbsp;Key)&nbsp;For&nbsp;exa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">egardless&nbsp;of&nbsp;which&nbsp;user&nbsp;account&nbsp;logs&nbsp;in.&nbsp;The&nbsp;startup&nbsp;folder&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">mple,&nbsp;it&nbsp;is&nbsp;possible&nbsp;to&nbsp;load&nbsp;a&nbsp;DLL&nbsp;at&nbsp;logon&nbsp;using&nbsp;a&nbsp;\"Depend\"</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">path&nbsp;for&nbsp;the&nbsp;current&nbsp;user&nbsp;is&nbsp;&lt;code&gt;C:\\Users\\\\[Username]\\AppD</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;key&nbsp;with&nbsp;RunOnceEx:&nbsp;&lt;code&gt;reg&nbsp;add&nbsp;HKLM\\SOFTWARE\\Microsoft\\W</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ata\\Roaming\\Microsoft\\Windows\\Start&nbsp;Menu\\Programs\\Startup&lt;/c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">indows\\CurrentVersion\\RunOnceEx\\0001\\Depend&nbsp;/v&nbsp;1&nbsp;/d&nbsp;\"C:\\temp</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ode&gt;.&nbsp;The&nbsp;startup&nbsp;folder&nbsp;path&nbsp;for&nbsp;all&nbsp;users&nbsp;is&nbsp;&lt;code&gt;C:\\Prog</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">\\evil[.]dll\"&lt;/code&gt;&nbsp;(Citation:&nbsp;Oddvar&nbsp;Moe&nbsp;RunOnceEx&nbsp;Mar&nbsp;2018</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ramData\\Microsoft\\Windows\\Start&nbsp;Menu\\Programs\\StartUp&lt;/code&gt;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">)&nbsp;&nbsp;The&nbsp;following&nbsp;Registry&nbsp;keys&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;set&nbsp;startup&nbsp;fo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">.&nbsp;&nbsp;The&nbsp;following&nbsp;Registry&nbsp;keys&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;set&nbsp;startup&nbsp;fo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lder&nbsp;items&nbsp;for&nbsp;persistence:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Softw</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lder&nbsp;items&nbsp;for&nbsp;persistence:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Softw</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">are\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User&nbsp;Shell&nbsp;Fol</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">are\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User&nbsp;Shell&nbsp;Fol</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Win</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Win</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dows\\CurrentVersion\\Explorer\\Shell&nbsp;Folders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HK</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dows\\CurrentVersion\\Explorer\\Shell&nbsp;Folders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HK</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">EY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\E</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">EY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\E</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">xplorer\\Shell&nbsp;Folders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\SOFT</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xplorer\\Shell&nbsp;Folders&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\SOFT</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">WARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User&nbsp;Shell&nbsp;Fo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">WARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User&nbsp;Shell&nbsp;Fo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lders&lt;/code&gt;&nbsp;&nbsp;The&nbsp;following&nbsp;Registry&nbsp;keys&nbsp;can&nbsp;control&nbsp;automa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lders&lt;/code&gt;&nbsp;&nbsp;The&nbsp;following&nbsp;Registry&nbsp;keys&nbsp;can&nbsp;control&nbsp;automa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tic&nbsp;startup&nbsp;of&nbsp;services&nbsp;during&nbsp;boot:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MAC</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tic&nbsp;startup&nbsp;of&nbsp;services&nbsp;during&nbsp;boot:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MAC</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">HINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOn</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">HINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOn</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ws\\CurrentVersion\\RunServicesOnce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ws\\CurrentVersion\\RunServicesOnce&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunService</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunService</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Window</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Window</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s\\CurrentVersion\\RunServices&lt;/code&gt;&nbsp;&nbsp;Using&nbsp;policy&nbsp;settings&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s\\CurrentVersion\\RunServices&lt;/code&gt;&nbsp;&nbsp;Using&nbsp;policy&nbsp;settings&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;specify&nbsp;startup&nbsp;programs&nbsp;creates&nbsp;corresponding&nbsp;values&nbsp;in&nbsp;e</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;specify&nbsp;startup&nbsp;programs&nbsp;creates&nbsp;corresponding&nbsp;values&nbsp;in&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ither&nbsp;of&nbsp;two&nbsp;Registry&nbsp;keys:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Soft</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ither&nbsp;of&nbsp;two&nbsp;Registry&nbsp;keys:&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Soft</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run&lt;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run&lt;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">CurrentVersion\\Policies\\Explorer\\Run&lt;/code&gt;&nbsp;&nbsp;The&nbsp;Winlogon&nbsp;ke</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">CurrentVersion\\Policies\\Explorer\\Run&lt;/code&gt;&nbsp;&nbsp;Programs&nbsp;listed</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;controls&nbsp;actions&nbsp;that&nbsp;occur&nbsp;when&nbsp;a&nbsp;user&nbsp;logs&nbsp;on&nbsp;to&nbsp;a&nbsp;compu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;in&nbsp;the&nbsp;load&nbsp;value&nbsp;of&nbsp;the&nbsp;registry&nbsp;key&nbsp;&lt;code&gt;HKEY_CURRENT_US</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ter&nbsp;running&nbsp;Windows&nbsp;7.&nbsp;Most&nbsp;of&nbsp;these&nbsp;actions&nbsp;are&nbsp;under&nbsp;the&nbsp;c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ER\\Software\\Microsoft\\Windows&nbsp;NT\\CurrentVersion\\Windows&lt;/cod</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ontrol&nbsp;of&nbsp;the&nbsp;operating&nbsp;system,&nbsp;but&nbsp;you&nbsp;can&nbsp;also&nbsp;add&nbsp;custom&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&gt;&nbsp;run&nbsp;automatically&nbsp;for&nbsp;the&nbsp;currently&nbsp;logged-on&nbsp;user.&nbsp;&nbsp;By&nbsp;d</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">actions&nbsp;here.&nbsp;The&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\Software\\Microsof</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">efault,&nbsp;the&nbsp;multistring&nbsp;&lt;code&gt;BootExecute&lt;/code&gt;&nbsp;value&nbsp;of&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">t\\Windows&nbsp;NT\\CurrentVersion\\Winlogon\\Userinit&lt;/code&gt;&nbsp;and&nbsp;&lt;co</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;registry&nbsp;key&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\System\\CurrentContro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">de&gt;HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows&nbsp;NT\\CurrentV</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lSet\\Control\\Session&nbsp;Manager&lt;/code&gt;&nbsp;is&nbsp;set&nbsp;to&nbsp;&lt;code&gt;autochec</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ersion\\Winlogon\\Shell&lt;/code&gt;&nbsp;subkeys&nbsp;can&nbsp;automatically&nbsp;launc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">k&nbsp;autochk&nbsp;*&lt;/code&gt;.&nbsp;This&nbsp;value&nbsp;causes&nbsp;Windows,&nbsp;at&nbsp;startup,&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">h&nbsp;programs.&nbsp;&nbsp;Programs&nbsp;listed&nbsp;in&nbsp;the&nbsp;load&nbsp;value&nbsp;of&nbsp;the&nbsp;regist</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;check&nbsp;the&nbsp;file-system&nbsp;integrity&nbsp;of&nbsp;the&nbsp;hard&nbsp;disks&nbsp;if&nbsp;the&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&nbsp;key&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows&nbsp;NT</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ystem&nbsp;has&nbsp;been&nbsp;shut&nbsp;down&nbsp;abnormally.&nbsp;Adversaries&nbsp;can&nbsp;add&nbsp;oth</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">\\CurrentVersion\\Windows&lt;/code&gt;&nbsp;run&nbsp;when&nbsp;any&nbsp;user&nbsp;logs&nbsp;on.&nbsp;&nbsp;B</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">er&nbsp;programs&nbsp;or&nbsp;processes&nbsp;to&nbsp;this&nbsp;registry&nbsp;value&nbsp;which&nbsp;will&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;default,&nbsp;the&nbsp;multistring&nbsp;&lt;code&gt;BootExecute&lt;/code&gt;&nbsp;value&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">utomatically&nbsp;launch&nbsp;at&nbsp;boot.&nbsp;&nbsp;Adversaries&nbsp;can&nbsp;use&nbsp;these&nbsp;conf</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;the&nbsp;registry&nbsp;key&nbsp;&lt;code&gt;HKEY_LOCAL_MACHINE\\System\\CurrentCon</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">iguration&nbsp;locations&nbsp;to&nbsp;execute&nbsp;malware,&nbsp;such&nbsp;as&nbsp;remote&nbsp;acces</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">trolSet\\Control\\Session&nbsp;Manager&lt;/code&gt;&nbsp;is&nbsp;set&nbsp;to&nbsp;&lt;code&gt;autoc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;tools,&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;through&nbsp;system&nbsp;reboots.&nbsp;Adv</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">heck&nbsp;autochk&nbsp;*&lt;/code&gt;.&nbsp;This&nbsp;value&nbsp;causes&nbsp;Windows,&nbsp;at&nbsp;startup</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ersaries&nbsp;may&nbsp;also&nbsp;use&nbsp;[Masquerading](https://attack.mitre.or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;to&nbsp;check&nbsp;the&nbsp;file-system&nbsp;integrity&nbsp;of&nbsp;the&nbsp;hard&nbsp;disks&nbsp;if&nbsp;th</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g/techniques/T1036)&nbsp;to&nbsp;make&nbsp;the&nbsp;Registry&nbsp;entries&nbsp;look&nbsp;as&nbsp;if&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;system&nbsp;has&nbsp;been&nbsp;shut&nbsp;down&nbsp;abnormally.&nbsp;Adversaries&nbsp;can&nbsp;add&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">they&nbsp;are&nbsp;associated&nbsp;with&nbsp;legitimate&nbsp;programs.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">other&nbsp;programs&nbsp;or&nbsp;processes&nbsp;to&nbsp;this&nbsp;registry&nbsp;value&nbsp;which&nbsp;wil</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">l&nbsp;automatically&nbsp;launch&nbsp;at&nbsp;boot.&nbsp;&nbsp;Adversaries&nbsp;can&nbsp;use&nbsp;these&nbsp;c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">onfiguration&nbsp;locations&nbsp;to&nbsp;execute&nbsp;malware,&nbsp;such&nbsp;as&nbsp;remote&nbsp;ac</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cess&nbsp;tools,&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;through&nbsp;system&nbsp;reboots.&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;[Masquerading](https://attack.mitre</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.org/techniques/T1036)&nbsp;to&nbsp;make&nbsp;the&nbsp;Registry&nbsp;entries&nbsp;look&nbsp;as&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">if&nbsp;they&nbsp;are&nbsp;associated&nbsp;with&nbsp;legitimate&nbsp;programs.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [],
                         "new": [],
@@ -1480,7 +1480,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 10:47:17.305000+00:00\", \"old_value\": \"2023-04-20 18:13:50.277000+00:00\"}, \"root['name']\": {\"new_value\": \"Disable or Modify Cloud Logs\", \"old_value\": \"Disable Cloud Logs\"}, \"root['description']\": {\"new_value\": \"An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.\\n\\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality \\u2013 for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)\", \"old_value\": \"An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.\\n\\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.\\n+An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.\\n \\n-For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)\\n+For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality \\u2013 for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"AWS Update Trail\", \"description\": \"AWS. (n.d.). update-trail. Retrieved August 4, 2023.\", \"url\": \"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\"}, \"root['external_references'][7]\": {\"source_name\": \"Pacu Detection Disruption Module\", \"description\": \"Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.\", \"url\": \"https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py\"}}}",
                     "previous_version": "1.3",
                     "version_change": "1.3 \u2192 2.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to34__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to34__0\"><a href=\"#difflib_chg_to34__top\">t</a></td><td class=\"diff_header\" id=\"from34_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;<span class=\"diff_chg\">cloud&nbsp;logging</span>&nbsp;capabilities&nbsp;and&nbsp;inte</td><td class=\"diff_next\"><a href=\"#difflib_chg_to34__top\">t</a></td><td class=\"diff_header\" id=\"to34_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;<span class=\"diff_chg\">or&nbsp;modify&nbsp;cloud&nbsp;logging</span>&nbsp;capabilitie</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">grations&nbsp;to&nbsp;limit&nbsp;what&nbsp;data&nbsp;is&nbsp;collected&nbsp;on&nbsp;their&nbsp;activities</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;and&nbsp;integrations&nbsp;to&nbsp;limit&nbsp;what&nbsp;data&nbsp;is&nbsp;collected&nbsp;on&nbsp;their&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;and&nbsp;avoid&nbsp;detection.&nbsp;Cloud&nbsp;environments&nbsp;allow&nbsp;for&nbsp;collectio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">activities&nbsp;and&nbsp;avoid&nbsp;detection.&nbsp;Cloud&nbsp;environments&nbsp;allow&nbsp;for</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;and&nbsp;analysis&nbsp;of&nbsp;audit&nbsp;and&nbsp;application&nbsp;logs&nbsp;that&nbsp;provide&nbsp;in</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;collection&nbsp;and&nbsp;analysis&nbsp;of&nbsp;audit&nbsp;and&nbsp;application&nbsp;logs&nbsp;that&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sight&nbsp;into&nbsp;what&nbsp;activities&nbsp;a&nbsp;user&nbsp;does&nbsp;within&nbsp;the&nbsp;environmen</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">provide&nbsp;insight&nbsp;into&nbsp;what&nbsp;activities&nbsp;a&nbsp;user&nbsp;does&nbsp;within&nbsp;the&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t.&nbsp;If&nbsp;an&nbsp;adversary&nbsp;has&nbsp;sufficient&nbsp;permissions,&nbsp;they&nbsp;can&nbsp;disa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">environment.&nbsp;If&nbsp;an&nbsp;adversary&nbsp;has&nbsp;sufficient&nbsp;permissions,&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ble&nbsp;<span class=\"diff_chg\">logging&nbsp;to&nbsp;avoid&nbsp;detection&nbsp;of&nbsp;their</span>&nbsp;activities.&nbsp;&nbsp;For&nbsp;exa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;can&nbsp;disable&nbsp;<span class=\"diff_chg\">or&nbsp;modify&nbsp;logging&nbsp;to&nbsp;avoid&nbsp;detection&nbsp;of&nbsp;their</span>&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mple,&nbsp;in&nbsp;AWS&nbsp;an&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;CloudWatch/CloudTrail&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">activities.&nbsp;&nbsp;For&nbsp;example,&nbsp;in&nbsp;AWS&nbsp;an&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;Cl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">integrations&nbsp;prior&nbsp;to&nbsp;conducting&nbsp;further&nbsp;malicious&nbsp;activity.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oudWatch/CloudTrail&nbsp;integrations&nbsp;prior&nbsp;to&nbsp;conducting&nbsp;further</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;Following&nbsp;the&nbsp;CloudTrail:&nbsp;Generating&nbsp;strong&nbsp;AWS&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;malicious&nbsp;activity.(Citation:&nbsp;Following&nbsp;the&nbsp;CloudTrail:&nbsp;Gen</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ecurity&nbsp;signals&nbsp;with&nbsp;Sumo&nbsp;Logic)&nbsp;In&nbsp;Office&nbsp;365,&nbsp;an&nbsp;adversary</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">erating&nbsp;strong&nbsp;AWS&nbsp;security&nbsp;signals&nbsp;with&nbsp;Sumo&nbsp;Logic)&nbsp;<span class=\"diff_add\">They&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;may&nbsp;disable&nbsp;logging&nbsp;on&nbsp;mail&nbsp;collection&nbsp;activities&nbsp;for&nbsp;speci</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;alternatively&nbsp;tamper&nbsp;with&nbsp;logging&nbsp;functionality&nbsp;\u2013&nbsp;for&nbsp;exam</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fic&nbsp;users&nbsp;by&nbsp;using&nbsp;the&nbsp;`Set-MailboxAuditBypassAssociation`&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ple,&nbsp;by&nbsp;removing&nbsp;any&nbsp;associated&nbsp;SNS&nbsp;topics,&nbsp;disabling&nbsp;multi-</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mdlet,&nbsp;by&nbsp;disabling&nbsp;M365&nbsp;Advanced&nbsp;Auditing&nbsp;for&nbsp;the&nbsp;user,&nbsp;or&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">region&nbsp;logging,&nbsp;or&nbsp;disabling&nbsp;settings&nbsp;that&nbsp;validate&nbsp;and/or&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">by&nbsp;downgrading&nbsp;the&nbsp;user\u2019s&nbsp;license&nbsp;from&nbsp;an&nbsp;Enterprise&nbsp;E5&nbsp;to&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ncrypt&nbsp;log&nbsp;files.(Citation:&nbsp;AWS&nbsp;Update&nbsp;Trail)(Citation:&nbsp;Pacu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;Enterprise&nbsp;E3&nbsp;license.(Citation:&nbsp;Dark&nbsp;Reading&nbsp;Microsoft&nbsp;36</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;Detection&nbsp;Disruption&nbsp;Module)&nbsp;</span>In&nbsp;Office&nbsp;365,&nbsp;an&nbsp;adversary&nbsp;ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">5&nbsp;Attacks&nbsp;2021)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;disable&nbsp;logging&nbsp;on&nbsp;mail&nbsp;collection&nbsp;activities&nbsp;for&nbsp;specific</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;users&nbsp;by&nbsp;using&nbsp;the&nbsp;`Set-MailboxAuditBypassAssociation`&nbsp;cmdl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">et,&nbsp;by&nbsp;disabling&nbsp;M365&nbsp;Advanced&nbsp;Auditing&nbsp;for&nbsp;the&nbsp;user,&nbsp;or&nbsp;by&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">downgrading&nbsp;the&nbsp;user\u2019s&nbsp;license&nbsp;from&nbsp;an&nbsp;Enterprise&nbsp;E5&nbsp;to&nbsp;an&nbsp;E</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nterprise&nbsp;E3&nbsp;license.(Citation:&nbsp;Dark&nbsp;Reading&nbsp;Microsoft&nbsp;365&nbsp;A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttacks&nbsp;2021)</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to6__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to6__0\"><a href=\"#difflib_chg_to6__top\">t</a></td><td class=\"diff_header\" id=\"from6_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;<span class=\"diff_chg\">cloud&nbsp;logging</span>&nbsp;capabilities&nbsp;and&nbsp;inte</td><td class=\"diff_next\"><a href=\"#difflib_chg_to6__top\">t</a></td><td class=\"diff_header\" id=\"to6_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;<span class=\"diff_chg\">or&nbsp;modify&nbsp;cloud&nbsp;logging</span>&nbsp;capabilitie</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">grations&nbsp;to&nbsp;limit&nbsp;what&nbsp;data&nbsp;is&nbsp;collected&nbsp;on&nbsp;their&nbsp;activities</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;and&nbsp;integrations&nbsp;to&nbsp;limit&nbsp;what&nbsp;data&nbsp;is&nbsp;collected&nbsp;on&nbsp;their&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;and&nbsp;avoid&nbsp;detection.&nbsp;Cloud&nbsp;environments&nbsp;allow&nbsp;for&nbsp;collectio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">activities&nbsp;and&nbsp;avoid&nbsp;detection.&nbsp;Cloud&nbsp;environments&nbsp;allow&nbsp;for</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;and&nbsp;analysis&nbsp;of&nbsp;audit&nbsp;and&nbsp;application&nbsp;logs&nbsp;that&nbsp;provide&nbsp;in</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;collection&nbsp;and&nbsp;analysis&nbsp;of&nbsp;audit&nbsp;and&nbsp;application&nbsp;logs&nbsp;that&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sight&nbsp;into&nbsp;what&nbsp;activities&nbsp;a&nbsp;user&nbsp;does&nbsp;within&nbsp;the&nbsp;environmen</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">provide&nbsp;insight&nbsp;into&nbsp;what&nbsp;activities&nbsp;a&nbsp;user&nbsp;does&nbsp;within&nbsp;the&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t.&nbsp;If&nbsp;an&nbsp;adversary&nbsp;has&nbsp;sufficient&nbsp;permissions,&nbsp;they&nbsp;can&nbsp;disa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">environment.&nbsp;If&nbsp;an&nbsp;adversary&nbsp;has&nbsp;sufficient&nbsp;permissions,&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ble&nbsp;<span class=\"diff_chg\">logging&nbsp;to&nbsp;avoid&nbsp;detection&nbsp;of&nbsp;their</span>&nbsp;activities.&nbsp;&nbsp;For&nbsp;exa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;can&nbsp;disable&nbsp;<span class=\"diff_chg\">or&nbsp;modify&nbsp;logging&nbsp;to&nbsp;avoid&nbsp;detection&nbsp;of&nbsp;their</span>&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mple,&nbsp;in&nbsp;AWS&nbsp;an&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;CloudWatch/CloudTrail&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">activities.&nbsp;&nbsp;For&nbsp;example,&nbsp;in&nbsp;AWS&nbsp;an&nbsp;adversary&nbsp;may&nbsp;disable&nbsp;Cl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">integrations&nbsp;prior&nbsp;to&nbsp;conducting&nbsp;further&nbsp;malicious&nbsp;activity.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oudWatch/CloudTrail&nbsp;integrations&nbsp;prior&nbsp;to&nbsp;conducting&nbsp;further</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;Following&nbsp;the&nbsp;CloudTrail:&nbsp;Generating&nbsp;strong&nbsp;AWS&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;malicious&nbsp;activity.(Citation:&nbsp;Following&nbsp;the&nbsp;CloudTrail:&nbsp;Gen</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ecurity&nbsp;signals&nbsp;with&nbsp;Sumo&nbsp;Logic)&nbsp;In&nbsp;Office&nbsp;365,&nbsp;an&nbsp;adversary</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">erating&nbsp;strong&nbsp;AWS&nbsp;security&nbsp;signals&nbsp;with&nbsp;Sumo&nbsp;Logic)&nbsp;<span class=\"diff_add\">They&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;may&nbsp;disable&nbsp;logging&nbsp;on&nbsp;mail&nbsp;collection&nbsp;activities&nbsp;for&nbsp;speci</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;alternatively&nbsp;tamper&nbsp;with&nbsp;logging&nbsp;functionality&nbsp;\u2013&nbsp;for&nbsp;exam</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fic&nbsp;users&nbsp;by&nbsp;using&nbsp;the&nbsp;`Set-MailboxAuditBypassAssociation`&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ple,&nbsp;by&nbsp;removing&nbsp;any&nbsp;associated&nbsp;SNS&nbsp;topics,&nbsp;disabling&nbsp;multi-</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mdlet,&nbsp;by&nbsp;disabling&nbsp;M365&nbsp;Advanced&nbsp;Auditing&nbsp;for&nbsp;the&nbsp;user,&nbsp;or&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">region&nbsp;logging,&nbsp;or&nbsp;disabling&nbsp;settings&nbsp;that&nbsp;validate&nbsp;and/or&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">by&nbsp;downgrading&nbsp;the&nbsp;user\u2019s&nbsp;license&nbsp;from&nbsp;an&nbsp;Enterprise&nbsp;E5&nbsp;to&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ncrypt&nbsp;log&nbsp;files.(Citation:&nbsp;AWS&nbsp;Update&nbsp;Trail)(Citation:&nbsp;Pacu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;Enterprise&nbsp;E3&nbsp;license.(Citation:&nbsp;Dark&nbsp;Reading&nbsp;Microsoft&nbsp;36</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;Detection&nbsp;Disruption&nbsp;Module)&nbsp;</span>In&nbsp;Office&nbsp;365,&nbsp;an&nbsp;adversary&nbsp;ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">5&nbsp;Attacks&nbsp;2021)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;disable&nbsp;logging&nbsp;on&nbsp;mail&nbsp;collection&nbsp;activities&nbsp;for&nbsp;specific</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;users&nbsp;by&nbsp;using&nbsp;the&nbsp;`Set-MailboxAuditBypassAssociation`&nbsp;cmdl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">et,&nbsp;by&nbsp;disabling&nbsp;M365&nbsp;Advanced&nbsp;Auditing&nbsp;for&nbsp;the&nbsp;user,&nbsp;or&nbsp;by&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">downgrading&nbsp;the&nbsp;user\u2019s&nbsp;license&nbsp;from&nbsp;an&nbsp;Enterprise&nbsp;E5&nbsp;to&nbsp;an&nbsp;E</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nterprise&nbsp;E3&nbsp;license.(Citation:&nbsp;Dark&nbsp;Reading&nbsp;Microsoft&nbsp;365&nbsp;A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttacks&nbsp;2021)</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management"
@@ -1760,7 +1760,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:45:54.884000+00:00\", \"old_value\": \"2023-04-12 23:29:30.966000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \\n\\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).\", \"old_value\": \"Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \\n\\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \\n+Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \\n \\n In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.6\", \"old_value\": \"2.5\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['x_mitre_contributors'][4]\": \"Arad Inbar, Fidelis Security\", \"root['x_mitre_platforms'][9]\": \"Containers\"}}",
                     "previous_version": "2.5",
                     "version_change": "2.5 \u2192 2.6",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to25__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to25__0\"><a href=\"#difflib_chg_to25__top\">t</a></td><td class=\"diff_header\" id=\"from25_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;manipulate&nbsp;accounts&nbsp;to&nbsp;maintain&nbsp;a<span class=\"diff_chg\">ccess&nbsp;to&nbsp;vi</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to25__top\">t</a></td><td class=\"diff_header\" id=\"to25_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;manipulate&nbsp;accounts&nbsp;to&nbsp;maintain&nbsp;a<span class=\"diff_chg\">nd/or&nbsp;eleva</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ctim</span>&nbsp;systems.&nbsp;Account&nbsp;manipulation&nbsp;may&nbsp;consist&nbsp;of&nbsp;any&nbsp;action</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">te&nbsp;access&nbsp;to&nbsp;victim</span>&nbsp;systems.&nbsp;Account&nbsp;manipulation&nbsp;may&nbsp;consis</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;that&nbsp;preserves&nbsp;<span class=\"diff_chg\">adversary&nbsp;access&nbsp;to&nbsp;a&nbsp;compromised</span>&nbsp;account,&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;of&nbsp;any&nbsp;action&nbsp;that&nbsp;preserves&nbsp;<span class=\"diff_chg\">or&nbsp;modifies&nbsp;adversary&nbsp;access&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;modifying&nbsp;credentials&nbsp;or&nbsp;permission&nbsp;groups.&nbsp;These&nbsp;act</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">to&nbsp;a&nbsp;compromised</span>&nbsp;account,&nbsp;such&nbsp;as&nbsp;modifying&nbsp;credentials&nbsp;or&nbsp;p</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ions&nbsp;could&nbsp;also&nbsp;include&nbsp;account&nbsp;activity&nbsp;designed&nbsp;to&nbsp;subvert</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ermission&nbsp;groups.&nbsp;These&nbsp;actions&nbsp;could&nbsp;also&nbsp;include&nbsp;account&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;security&nbsp;policies,&nbsp;such&nbsp;as&nbsp;performing&nbsp;iterative&nbsp;password&nbsp;up</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ctivity&nbsp;designed&nbsp;to&nbsp;subvert&nbsp;security&nbsp;policies,&nbsp;such&nbsp;as&nbsp;perfo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">dates&nbsp;to&nbsp;bypass&nbsp;password&nbsp;duration&nbsp;policies&nbsp;and&nbsp;preserve&nbsp;the&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rming&nbsp;iterative&nbsp;password&nbsp;updates&nbsp;to&nbsp;bypass&nbsp;password&nbsp;duration</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">life&nbsp;of&nbsp;compromised&nbsp;credentials.&nbsp;&nbsp;&nbsp;In&nbsp;order&nbsp;to&nbsp;create&nbsp;or&nbsp;man</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;policies&nbsp;and&nbsp;preserve&nbsp;the&nbsp;life&nbsp;of&nbsp;compromised&nbsp;credentials.&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ipulate&nbsp;accounts,&nbsp;the&nbsp;adversary&nbsp;must&nbsp;already&nbsp;have&nbsp;sufficient</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;In&nbsp;order&nbsp;to&nbsp;create&nbsp;or&nbsp;manipulate&nbsp;accounts,&nbsp;the&nbsp;adversary&nbsp;m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;permissions&nbsp;on&nbsp;systems&nbsp;or&nbsp;the&nbsp;domain.&nbsp;However,&nbsp;account&nbsp;mani</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ust&nbsp;already&nbsp;have&nbsp;sufficient&nbsp;permissions&nbsp;on&nbsp;systems&nbsp;or&nbsp;the&nbsp;do</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">pulation&nbsp;may&nbsp;also&nbsp;lead&nbsp;to&nbsp;privilege&nbsp;escalation&nbsp;where&nbsp;modific</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">main.&nbsp;However,&nbsp;account&nbsp;manipulation&nbsp;may&nbsp;also&nbsp;lead&nbsp;to&nbsp;privile</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ations&nbsp;grant&nbsp;access&nbsp;to&nbsp;additional&nbsp;roles,&nbsp;permissions,&nbsp;or&nbsp;hig</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ge&nbsp;escalation&nbsp;where&nbsp;modifications&nbsp;grant&nbsp;access&nbsp;to&nbsp;additional</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">her-privileged&nbsp;[Valid&nbsp;Accounts](https://attack.mitre.org/tec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;roles,&nbsp;permissions,&nbsp;or&nbsp;higher-privileged&nbsp;[Valid&nbsp;Accounts](h</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hniques/T1078).</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1078).</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to17__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to17__0\"><a href=\"#difflib_chg_to17__top\">t</a></td><td class=\"diff_header\" id=\"from17_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;manipulate&nbsp;accounts&nbsp;to&nbsp;maintain&nbsp;a<span class=\"diff_chg\">ccess&nbsp;to&nbsp;vi</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to17__top\">t</a></td><td class=\"diff_header\" id=\"to17_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;manipulate&nbsp;accounts&nbsp;to&nbsp;maintain&nbsp;a<span class=\"diff_chg\">nd/or&nbsp;eleva</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ctim</span>&nbsp;systems.&nbsp;Account&nbsp;manipulation&nbsp;may&nbsp;consist&nbsp;of&nbsp;any&nbsp;action</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">te&nbsp;access&nbsp;to&nbsp;victim</span>&nbsp;systems.&nbsp;Account&nbsp;manipulation&nbsp;may&nbsp;consis</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;that&nbsp;preserves&nbsp;<span class=\"diff_chg\">adversary&nbsp;access&nbsp;to&nbsp;a&nbsp;compromised</span>&nbsp;account,&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;of&nbsp;any&nbsp;action&nbsp;that&nbsp;preserves&nbsp;<span class=\"diff_chg\">or&nbsp;modifies&nbsp;adversary&nbsp;access&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;modifying&nbsp;credentials&nbsp;or&nbsp;permission&nbsp;groups.&nbsp;These&nbsp;act</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">to&nbsp;a&nbsp;compromised</span>&nbsp;account,&nbsp;such&nbsp;as&nbsp;modifying&nbsp;credentials&nbsp;or&nbsp;p</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ions&nbsp;could&nbsp;also&nbsp;include&nbsp;account&nbsp;activity&nbsp;designed&nbsp;to&nbsp;subvert</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ermission&nbsp;groups.&nbsp;These&nbsp;actions&nbsp;could&nbsp;also&nbsp;include&nbsp;account&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;security&nbsp;policies,&nbsp;such&nbsp;as&nbsp;performing&nbsp;iterative&nbsp;password&nbsp;up</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ctivity&nbsp;designed&nbsp;to&nbsp;subvert&nbsp;security&nbsp;policies,&nbsp;such&nbsp;as&nbsp;perfo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">dates&nbsp;to&nbsp;bypass&nbsp;password&nbsp;duration&nbsp;policies&nbsp;and&nbsp;preserve&nbsp;the&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rming&nbsp;iterative&nbsp;password&nbsp;updates&nbsp;to&nbsp;bypass&nbsp;password&nbsp;duration</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">life&nbsp;of&nbsp;compromised&nbsp;credentials.&nbsp;&nbsp;&nbsp;In&nbsp;order&nbsp;to&nbsp;create&nbsp;or&nbsp;man</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;policies&nbsp;and&nbsp;preserve&nbsp;the&nbsp;life&nbsp;of&nbsp;compromised&nbsp;credentials.&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ipulate&nbsp;accounts,&nbsp;the&nbsp;adversary&nbsp;must&nbsp;already&nbsp;have&nbsp;sufficient</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;In&nbsp;order&nbsp;to&nbsp;create&nbsp;or&nbsp;manipulate&nbsp;accounts,&nbsp;the&nbsp;adversary&nbsp;m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;permissions&nbsp;on&nbsp;systems&nbsp;or&nbsp;the&nbsp;domain.&nbsp;However,&nbsp;account&nbsp;mani</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ust&nbsp;already&nbsp;have&nbsp;sufficient&nbsp;permissions&nbsp;on&nbsp;systems&nbsp;or&nbsp;the&nbsp;do</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">pulation&nbsp;may&nbsp;also&nbsp;lead&nbsp;to&nbsp;privilege&nbsp;escalation&nbsp;where&nbsp;modific</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">main.&nbsp;However,&nbsp;account&nbsp;manipulation&nbsp;may&nbsp;also&nbsp;lead&nbsp;to&nbsp;privile</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ations&nbsp;grant&nbsp;access&nbsp;to&nbsp;additional&nbsp;roles,&nbsp;permissions,&nbsp;or&nbsp;hig</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ge&nbsp;escalation&nbsp;where&nbsp;modifications&nbsp;grant&nbsp;access&nbsp;to&nbsp;additional</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">her-privileged&nbsp;[Valid&nbsp;Accounts](https://attack.mitre.org/tec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;roles,&nbsp;permissions,&nbsp;or&nbsp;higher-privileged&nbsp;[Valid&nbsp;Accounts](h</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hniques/T1078).</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1078).</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -1898,7 +1898,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:37:24.011000+00:00\", \"old_value\": \"2023-05-04 18:03:36.622000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\\n\\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\\n\\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\\n\\nAdversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal\\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \\n\\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account\\u2019s API credentials are deactivated.\\n(Citation: Crowdstrike AWS User Federation Persistence)\", \"old_value\": \"Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\\n\\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\\n\\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\\n\\nAdversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)\\n\\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account\\u2019s API credentials are deactivated.\\n(Citation: Crowdstrike AWS User Federation Persistence)\", \"diff\": \"--- \\n+++ \\n@@ -4,7 +4,7 @@\\n \\n In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\\n \\n-Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)\\n+Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal\\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \\n \\n In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account\\u2019s API credentials are deactivated.\\n (Citation: Crowdstrike AWS User Federation Persistence)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.6\", \"old_value\": \"2.5\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['external_references'][3]\": {\"source_name\": \"SpecterOps Azure Privilege Escalation\", \"description\": \"Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.\", \"url\": \"https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5\"}, \"root['external_references'][10]\": {\"source_name\": \"Sysdig ScarletEel 2.0\", \"description\": \"SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.\", \"url\": \"https://sysdig.com/blog/scarleteel-2-0/\"}, \"root['x_mitre_contributors'][6]\": \"Arad Inbar, Fidelis Security\"}}",
                     "previous_version": "2.5",
                     "version_change": "2.5 \u2192 2.6",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to29__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to29__0\"><a href=\"#difflib_chg_to29__top\">t</a></td><td class=\"diff_header\" id=\"from29_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;add&nbsp;adversary-controlled&nbsp;credentials&nbsp;to&nbsp;a&nbsp;cl</td><td class=\"diff_next\"><a href=\"#difflib_chg_to29__top\">t</a></td><td class=\"diff_header\" id=\"to29_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;add&nbsp;adversary-controlled&nbsp;credentials&nbsp;to&nbsp;a&nbsp;cl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;access&nbsp;to&nbsp;victim&nbsp;accounts</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;access&nbsp;to&nbsp;victim&nbsp;accounts</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;and&nbsp;instances&nbsp;within&nbsp;the&nbsp;environment.&nbsp;&nbsp;For&nbsp;example,&nbsp;adversa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;and&nbsp;instances&nbsp;within&nbsp;the&nbsp;environment.&nbsp;&nbsp;For&nbsp;example,&nbsp;adversa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ries&nbsp;may&nbsp;add&nbsp;credentials&nbsp;for&nbsp;Service&nbsp;Principals&nbsp;and&nbsp;Applicat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ries&nbsp;may&nbsp;add&nbsp;credentials&nbsp;for&nbsp;Service&nbsp;Principals&nbsp;and&nbsp;Applicat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ions&nbsp;in&nbsp;addition&nbsp;to&nbsp;existing&nbsp;legitimate&nbsp;credentials&nbsp;in&nbsp;Azure</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ions&nbsp;in&nbsp;addition&nbsp;to&nbsp;existing&nbsp;legitimate&nbsp;credentials&nbsp;in&nbsp;Azure</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;AD.(Citation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)(Citat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;AD.(Citation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)(Citat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;Blue&nbsp;Cloud&nbsp;of&nbsp;Death)(Citation:&nbsp;Blue&nbsp;Cloud&nbsp;of&nbsp;Death&nbsp;Vide</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;Blue&nbsp;Cloud&nbsp;of&nbsp;Death)(Citation:&nbsp;Blue&nbsp;Cloud&nbsp;of&nbsp;Death&nbsp;Vide</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o)&nbsp;These&nbsp;credentials&nbsp;include&nbsp;both&nbsp;x509&nbsp;keys&nbsp;and&nbsp;passwords.(C</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o)&nbsp;These&nbsp;credentials&nbsp;include&nbsp;both&nbsp;x509&nbsp;keys&nbsp;and&nbsp;passwords.(C</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)&nbsp;With&nbsp;suffic</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)&nbsp;With&nbsp;suffic</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ient&nbsp;permissions,&nbsp;there&nbsp;are&nbsp;a&nbsp;variety&nbsp;of&nbsp;ways&nbsp;to&nbsp;add&nbsp;credent</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ient&nbsp;permissions,&nbsp;there&nbsp;are&nbsp;a&nbsp;variety&nbsp;of&nbsp;ways&nbsp;to&nbsp;add&nbsp;credent</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ials&nbsp;including&nbsp;the&nbsp;Azure&nbsp;Portal,&nbsp;Azure&nbsp;command&nbsp;line&nbsp;interfac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ials&nbsp;including&nbsp;the&nbsp;Azure&nbsp;Portal,&nbsp;Azure&nbsp;command&nbsp;line&nbsp;interfac</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e,&nbsp;and&nbsp;Azure&nbsp;or&nbsp;Az&nbsp;PowerShell&nbsp;modules.(Citation:&nbsp;Demystifyin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e,&nbsp;and&nbsp;Azure&nbsp;or&nbsp;Az&nbsp;PowerShell&nbsp;modules.(Citation:&nbsp;Demystifyin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;Azure&nbsp;AD&nbsp;Service&nbsp;Principals)&nbsp;&nbsp;In&nbsp;infrastructure-as-a-servi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;Azure&nbsp;AD&nbsp;Service&nbsp;Principals)&nbsp;&nbsp;In&nbsp;infrastructure-as-a-servi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;(IaaS)&nbsp;environments,&nbsp;after&nbsp;gaining&nbsp;access&nbsp;through&nbsp;[Cloud&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;(IaaS)&nbsp;environments,&nbsp;after&nbsp;gaining&nbsp;access&nbsp;through&nbsp;[Cloud&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Accounts](https://attack.mitre.org/techniques/T1078/004),&nbsp;ad</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Accounts](https://attack.mitre.org/techniques/T1078/004),&nbsp;ad</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">versaries&nbsp;may&nbsp;generate&nbsp;or&nbsp;import&nbsp;their&nbsp;own&nbsp;SSH&nbsp;keys&nbsp;using&nbsp;ei</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">versaries&nbsp;may&nbsp;generate&nbsp;or&nbsp;import&nbsp;their&nbsp;own&nbsp;SSH&nbsp;keys&nbsp;using&nbsp;ei</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ther&nbsp;the&nbsp;&lt;code&gt;CreateKeyPair&lt;/code&gt;&nbsp;or&nbsp;&lt;code&gt;ImportKeyPair&lt;/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ther&nbsp;the&nbsp;&lt;code&gt;CreateKeyPair&lt;/code&gt;&nbsp;or&nbsp;&lt;code&gt;ImportKeyPair&lt;/</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">code&gt;&nbsp;API&nbsp;in&nbsp;AWS&nbsp;or&nbsp;the&nbsp;&lt;code&gt;gcloud&nbsp;compute&nbsp;os-login&nbsp;ssh-ke</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">code&gt;&nbsp;API&nbsp;in&nbsp;AWS&nbsp;or&nbsp;the&nbsp;&lt;code&gt;gcloud&nbsp;compute&nbsp;os-login&nbsp;ssh-ke</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ys&nbsp;add&lt;/code&gt;&nbsp;command&nbsp;in&nbsp;GCP.(Citation:&nbsp;GCP&nbsp;SSH&nbsp;Key&nbsp;Add)&nbsp;Thi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ys&nbsp;add&lt;/code&gt;&nbsp;command&nbsp;in&nbsp;GCP.(Citation:&nbsp;GCP&nbsp;SSH&nbsp;Key&nbsp;Add)&nbsp;Thi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;allows&nbsp;persistent&nbsp;access&nbsp;to&nbsp;instances&nbsp;within&nbsp;the&nbsp;cloud&nbsp;env</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;allows&nbsp;persistent&nbsp;access&nbsp;to&nbsp;instances&nbsp;within&nbsp;the&nbsp;cloud&nbsp;env</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironment&nbsp;without&nbsp;further&nbsp;usage&nbsp;of&nbsp;the&nbsp;compromised&nbsp;cloud&nbsp;acco</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironment&nbsp;without&nbsp;further&nbsp;usage&nbsp;of&nbsp;the&nbsp;compromised&nbsp;cloud&nbsp;acco</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">unts.(Citation:&nbsp;Expel&nbsp;IO&nbsp;Evil&nbsp;in&nbsp;AWS)(Citation:&nbsp;Expel&nbsp;Behind</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">unts.(Citation:&nbsp;Expel&nbsp;IO&nbsp;Evil&nbsp;in&nbsp;AWS)(Citation:&nbsp;Expel&nbsp;Behind</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;Scenes)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;the&nbsp;&lt;code&gt;CreateAcces</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;Scenes)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;the&nbsp;&lt;code&gt;CreateAcces</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sKey&lt;/code&gt;&nbsp;API&nbsp;in&nbsp;AWS&nbsp;or&nbsp;the&nbsp;&lt;code&gt;gcloud&nbsp;iam&nbsp;service-accou</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sKey&lt;/code&gt;&nbsp;API&nbsp;in&nbsp;AWS&nbsp;or&nbsp;the&nbsp;&lt;code&gt;gcloud&nbsp;iam&nbsp;service-accou</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nts&nbsp;keys&nbsp;create&lt;/code&gt;&nbsp;command&nbsp;in&nbsp;GCP&nbsp;to&nbsp;add&nbsp;access&nbsp;keys&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nts&nbsp;keys&nbsp;create&lt;/code&gt;&nbsp;command&nbsp;in&nbsp;GCP&nbsp;to&nbsp;add&nbsp;access&nbsp;keys&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;account.&nbsp;If&nbsp;the&nbsp;target&nbsp;account&nbsp;has&nbsp;different&nbsp;permissions&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;account.&nbsp;If&nbsp;the&nbsp;target&nbsp;account&nbsp;has&nbsp;different&nbsp;permissions&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">from&nbsp;the&nbsp;requesting&nbsp;account,&nbsp;the&nbsp;adversary&nbsp;may&nbsp;also&nbsp;be&nbsp;able&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">from&nbsp;the&nbsp;requesting&nbsp;account,&nbsp;the&nbsp;adversary&nbsp;may&nbsp;also&nbsp;be&nbsp;able&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">to&nbsp;escalate&nbsp;their&nbsp;privileges&nbsp;in&nbsp;the&nbsp;environment&nbsp;(i.e.&nbsp;[Cloud</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">to&nbsp;escalate&nbsp;their&nbsp;privileges&nbsp;in&nbsp;the&nbsp;environment&nbsp;(i.e.&nbsp;[Cloud</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Accounts](https://attack.mitre.org/techniques/T1078/004)).(</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Accounts](https://attack.mitre.org/techniques/T1078/004)).(</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Citation:&nbsp;Rhino&nbsp;Security&nbsp;Labs&nbsp;AWS&nbsp;Privilege&nbsp;Escalation)<span class=\"diff_chg\">&nbsp;</span>&nbsp;In&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Citation:&nbsp;Rhino&nbsp;Security&nbsp;Labs&nbsp;AWS&nbsp;Privilege&nbsp;Escalation)<span class=\"diff_chg\">(Cita</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">AWS&nbsp;environments,&nbsp;adversaries&nbsp;with&nbsp;the&nbsp;appropriate&nbsp;permissio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">tion:&nbsp;Sysdig&nbsp;ScarletEel&nbsp;2.0)&nbsp;For&nbsp;example,&nbsp;in&nbsp;Azure&nbsp;AD&nbsp;enviro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ns&nbsp;may&nbsp;also&nbsp;use&nbsp;the&nbsp;`sts:GetFederationToken`&nbsp;API&nbsp;call&nbsp;to&nbsp;cre</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">nments,&nbsp;an&nbsp;adversary&nbsp;with&nbsp;the&nbsp;Application&nbsp;Administrator&nbsp;role</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ate&nbsp;a&nbsp;temporary&nbsp;set&nbsp;of&nbsp;credentials&nbsp;tied&nbsp;to&nbsp;the&nbsp;permissions&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">&nbsp;can&nbsp;add&nbsp;a&nbsp;new&nbsp;set&nbsp;of&nbsp;credentials&nbsp;to&nbsp;their&nbsp;application's&nbsp;ser</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">f&nbsp;the&nbsp;original&nbsp;user&nbsp;account.&nbsp;These&nbsp;credentials&nbsp;may&nbsp;remain&nbsp;va</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">vice&nbsp;principal.</span>&nbsp;In<span class=\"diff_add\">&nbsp;doing&nbsp;so&nbsp;the&nbsp;adversary&nbsp;would&nbsp;be&nbsp;able&nbsp;to&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lid&nbsp;for&nbsp;the&nbsp;duration&nbsp;of&nbsp;their&nbsp;lifetime&nbsp;even&nbsp;if&nbsp;the&nbsp;original&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ccess&nbsp;the&nbsp;service&nbsp;principal\u2019s&nbsp;roles&nbsp;and&nbsp;permissions,&nbsp;which&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">account\u2019s&nbsp;API&nbsp;credentials&nbsp;are&nbsp;deactivated.&nbsp;(Citation:&nbsp;Crowds</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ay&nbsp;be&nbsp;different&nbsp;from&nbsp;those&nbsp;of&nbsp;the&nbsp;Application&nbsp;Administrator.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trike&nbsp;AWS&nbsp;User&nbsp;Federation&nbsp;Persistence)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(Citation:&nbsp;SpecterOps&nbsp;Azure&nbsp;Privilege&nbsp;Escalation)&nbsp;&nbsp;&nbsp;In</span>&nbsp;AWS&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nvironments,&nbsp;adversaries&nbsp;with&nbsp;the&nbsp;appropriate&nbsp;permissions&nbsp;ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;also&nbsp;use&nbsp;the&nbsp;`sts:GetFederationToken`&nbsp;API&nbsp;call&nbsp;to&nbsp;create&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;temporary&nbsp;set&nbsp;of&nbsp;credentials&nbsp;tied&nbsp;to&nbsp;the&nbsp;permissions&nbsp;of&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;original&nbsp;user&nbsp;account.&nbsp;These&nbsp;credentials&nbsp;may&nbsp;remain&nbsp;valid&nbsp;f</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;the&nbsp;duration&nbsp;of&nbsp;their&nbsp;lifetime&nbsp;even&nbsp;if&nbsp;the&nbsp;original&nbsp;accou</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt\u2019s&nbsp;API&nbsp;credentials&nbsp;are&nbsp;deactivated.&nbsp;(Citation:&nbsp;Crowdstrike</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;AWS&nbsp;User&nbsp;Federation&nbsp;Persistence)</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to7__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to7__0\"><a href=\"#difflib_chg_to7__top\">t</a></td><td class=\"diff_header\" id=\"from7_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;add&nbsp;adversary-controlled&nbsp;credentials&nbsp;to&nbsp;a&nbsp;cl</td><td class=\"diff_next\"><a href=\"#difflib_chg_to7__top\">t</a></td><td class=\"diff_header\" id=\"to7_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;add&nbsp;adversary-controlled&nbsp;credentials&nbsp;to&nbsp;a&nbsp;cl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;access&nbsp;to&nbsp;victim&nbsp;accounts</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;access&nbsp;to&nbsp;victim&nbsp;accounts</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;and&nbsp;instances&nbsp;within&nbsp;the&nbsp;environment.&nbsp;&nbsp;For&nbsp;example,&nbsp;adversa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;and&nbsp;instances&nbsp;within&nbsp;the&nbsp;environment.&nbsp;&nbsp;For&nbsp;example,&nbsp;adversa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ries&nbsp;may&nbsp;add&nbsp;credentials&nbsp;for&nbsp;Service&nbsp;Principals&nbsp;and&nbsp;Applicat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ries&nbsp;may&nbsp;add&nbsp;credentials&nbsp;for&nbsp;Service&nbsp;Principals&nbsp;and&nbsp;Applicat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ions&nbsp;in&nbsp;addition&nbsp;to&nbsp;existing&nbsp;legitimate&nbsp;credentials&nbsp;in&nbsp;Azure</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ions&nbsp;in&nbsp;addition&nbsp;to&nbsp;existing&nbsp;legitimate&nbsp;credentials&nbsp;in&nbsp;Azure</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;AD.(Citation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)(Citat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;AD.(Citation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)(Citat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;Blue&nbsp;Cloud&nbsp;of&nbsp;Death)(Citation:&nbsp;Blue&nbsp;Cloud&nbsp;of&nbsp;Death&nbsp;Vide</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;Blue&nbsp;Cloud&nbsp;of&nbsp;Death)(Citation:&nbsp;Blue&nbsp;Cloud&nbsp;of&nbsp;Death&nbsp;Vide</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o)&nbsp;These&nbsp;credentials&nbsp;include&nbsp;both&nbsp;x509&nbsp;keys&nbsp;and&nbsp;passwords.(C</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o)&nbsp;These&nbsp;credentials&nbsp;include&nbsp;both&nbsp;x509&nbsp;keys&nbsp;and&nbsp;passwords.(C</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)&nbsp;With&nbsp;suffic</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)&nbsp;With&nbsp;suffic</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ient&nbsp;permissions,&nbsp;there&nbsp;are&nbsp;a&nbsp;variety&nbsp;of&nbsp;ways&nbsp;to&nbsp;add&nbsp;credent</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ient&nbsp;permissions,&nbsp;there&nbsp;are&nbsp;a&nbsp;variety&nbsp;of&nbsp;ways&nbsp;to&nbsp;add&nbsp;credent</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ials&nbsp;including&nbsp;the&nbsp;Azure&nbsp;Portal,&nbsp;Azure&nbsp;command&nbsp;line&nbsp;interfac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ials&nbsp;including&nbsp;the&nbsp;Azure&nbsp;Portal,&nbsp;Azure&nbsp;command&nbsp;line&nbsp;interfac</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e,&nbsp;and&nbsp;Azure&nbsp;or&nbsp;Az&nbsp;PowerShell&nbsp;modules.(Citation:&nbsp;Demystifyin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e,&nbsp;and&nbsp;Azure&nbsp;or&nbsp;Az&nbsp;PowerShell&nbsp;modules.(Citation:&nbsp;Demystifyin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;Azure&nbsp;AD&nbsp;Service&nbsp;Principals)&nbsp;&nbsp;In&nbsp;infrastructure-as-a-servi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;Azure&nbsp;AD&nbsp;Service&nbsp;Principals)&nbsp;&nbsp;In&nbsp;infrastructure-as-a-servi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;(IaaS)&nbsp;environments,&nbsp;after&nbsp;gaining&nbsp;access&nbsp;through&nbsp;[Cloud&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;(IaaS)&nbsp;environments,&nbsp;after&nbsp;gaining&nbsp;access&nbsp;through&nbsp;[Cloud&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Accounts](https://attack.mitre.org/techniques/T1078/004),&nbsp;ad</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Accounts](https://attack.mitre.org/techniques/T1078/004),&nbsp;ad</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">versaries&nbsp;may&nbsp;generate&nbsp;or&nbsp;import&nbsp;their&nbsp;own&nbsp;SSH&nbsp;keys&nbsp;using&nbsp;ei</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">versaries&nbsp;may&nbsp;generate&nbsp;or&nbsp;import&nbsp;their&nbsp;own&nbsp;SSH&nbsp;keys&nbsp;using&nbsp;ei</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ther&nbsp;the&nbsp;&lt;code&gt;CreateKeyPair&lt;/code&gt;&nbsp;or&nbsp;&lt;code&gt;ImportKeyPair&lt;/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ther&nbsp;the&nbsp;&lt;code&gt;CreateKeyPair&lt;/code&gt;&nbsp;or&nbsp;&lt;code&gt;ImportKeyPair&lt;/</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">code&gt;&nbsp;API&nbsp;in&nbsp;AWS&nbsp;or&nbsp;the&nbsp;&lt;code&gt;gcloud&nbsp;compute&nbsp;os-login&nbsp;ssh-ke</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">code&gt;&nbsp;API&nbsp;in&nbsp;AWS&nbsp;or&nbsp;the&nbsp;&lt;code&gt;gcloud&nbsp;compute&nbsp;os-login&nbsp;ssh-ke</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ys&nbsp;add&lt;/code&gt;&nbsp;command&nbsp;in&nbsp;GCP.(Citation:&nbsp;GCP&nbsp;SSH&nbsp;Key&nbsp;Add)&nbsp;Thi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ys&nbsp;add&lt;/code&gt;&nbsp;command&nbsp;in&nbsp;GCP.(Citation:&nbsp;GCP&nbsp;SSH&nbsp;Key&nbsp;Add)&nbsp;Thi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;allows&nbsp;persistent&nbsp;access&nbsp;to&nbsp;instances&nbsp;within&nbsp;the&nbsp;cloud&nbsp;env</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;allows&nbsp;persistent&nbsp;access&nbsp;to&nbsp;instances&nbsp;within&nbsp;the&nbsp;cloud&nbsp;env</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironment&nbsp;without&nbsp;further&nbsp;usage&nbsp;of&nbsp;the&nbsp;compromised&nbsp;cloud&nbsp;acco</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironment&nbsp;without&nbsp;further&nbsp;usage&nbsp;of&nbsp;the&nbsp;compromised&nbsp;cloud&nbsp;acco</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">unts.(Citation:&nbsp;Expel&nbsp;IO&nbsp;Evil&nbsp;in&nbsp;AWS)(Citation:&nbsp;Expel&nbsp;Behind</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">unts.(Citation:&nbsp;Expel&nbsp;IO&nbsp;Evil&nbsp;in&nbsp;AWS)(Citation:&nbsp;Expel&nbsp;Behind</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;Scenes)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;the&nbsp;&lt;code&gt;CreateAcces</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;Scenes)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;the&nbsp;&lt;code&gt;CreateAcces</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sKey&lt;/code&gt;&nbsp;API&nbsp;in&nbsp;AWS&nbsp;or&nbsp;the&nbsp;&lt;code&gt;gcloud&nbsp;iam&nbsp;service-accou</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sKey&lt;/code&gt;&nbsp;API&nbsp;in&nbsp;AWS&nbsp;or&nbsp;the&nbsp;&lt;code&gt;gcloud&nbsp;iam&nbsp;service-accou</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nts&nbsp;keys&nbsp;create&lt;/code&gt;&nbsp;command&nbsp;in&nbsp;GCP&nbsp;to&nbsp;add&nbsp;access&nbsp;keys&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nts&nbsp;keys&nbsp;create&lt;/code&gt;&nbsp;command&nbsp;in&nbsp;GCP&nbsp;to&nbsp;add&nbsp;access&nbsp;keys&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;account.&nbsp;If&nbsp;the&nbsp;target&nbsp;account&nbsp;has&nbsp;different&nbsp;permissions&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;account.&nbsp;If&nbsp;the&nbsp;target&nbsp;account&nbsp;has&nbsp;different&nbsp;permissions&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">from&nbsp;the&nbsp;requesting&nbsp;account,&nbsp;the&nbsp;adversary&nbsp;may&nbsp;also&nbsp;be&nbsp;able&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">from&nbsp;the&nbsp;requesting&nbsp;account,&nbsp;the&nbsp;adversary&nbsp;may&nbsp;also&nbsp;be&nbsp;able&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">to&nbsp;escalate&nbsp;their&nbsp;privileges&nbsp;in&nbsp;the&nbsp;environment&nbsp;(i.e.&nbsp;[Cloud</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">to&nbsp;escalate&nbsp;their&nbsp;privileges&nbsp;in&nbsp;the&nbsp;environment&nbsp;(i.e.&nbsp;[Cloud</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Accounts](https://attack.mitre.org/techniques/T1078/004)).(</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Accounts](https://attack.mitre.org/techniques/T1078/004)).(</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Citation:&nbsp;Rhino&nbsp;Security&nbsp;Labs&nbsp;AWS&nbsp;Privilege&nbsp;Escalation)<span class=\"diff_chg\">&nbsp;</span>&nbsp;In&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Citation:&nbsp;Rhino&nbsp;Security&nbsp;Labs&nbsp;AWS&nbsp;Privilege&nbsp;Escalation)<span class=\"diff_chg\">(Cita</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">AWS&nbsp;environments,&nbsp;adversaries&nbsp;with&nbsp;the&nbsp;appropriate&nbsp;permissio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">tion:&nbsp;Sysdig&nbsp;ScarletEel&nbsp;2.0)&nbsp;For&nbsp;example,&nbsp;in&nbsp;Azure&nbsp;AD&nbsp;enviro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ns&nbsp;may&nbsp;also&nbsp;use&nbsp;the&nbsp;`sts:GetFederationToken`&nbsp;API&nbsp;call&nbsp;to&nbsp;cre</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">nments,&nbsp;an&nbsp;adversary&nbsp;with&nbsp;the&nbsp;Application&nbsp;Administrator&nbsp;role</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ate&nbsp;a&nbsp;temporary&nbsp;set&nbsp;of&nbsp;credentials&nbsp;tied&nbsp;to&nbsp;the&nbsp;permissions&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">&nbsp;can&nbsp;add&nbsp;a&nbsp;new&nbsp;set&nbsp;of&nbsp;credentials&nbsp;to&nbsp;their&nbsp;application's&nbsp;ser</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">f&nbsp;the&nbsp;original&nbsp;user&nbsp;account.&nbsp;These&nbsp;credentials&nbsp;may&nbsp;remain&nbsp;va</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">vice&nbsp;principal.</span>&nbsp;In<span class=\"diff_add\">&nbsp;doing&nbsp;so&nbsp;the&nbsp;adversary&nbsp;would&nbsp;be&nbsp;able&nbsp;to&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lid&nbsp;for&nbsp;the&nbsp;duration&nbsp;of&nbsp;their&nbsp;lifetime&nbsp;even&nbsp;if&nbsp;the&nbsp;original&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ccess&nbsp;the&nbsp;service&nbsp;principal\u2019s&nbsp;roles&nbsp;and&nbsp;permissions,&nbsp;which&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">account\u2019s&nbsp;API&nbsp;credentials&nbsp;are&nbsp;deactivated.&nbsp;(Citation:&nbsp;Crowds</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ay&nbsp;be&nbsp;different&nbsp;from&nbsp;those&nbsp;of&nbsp;the&nbsp;Application&nbsp;Administrator.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trike&nbsp;AWS&nbsp;User&nbsp;Federation&nbsp;Persistence)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(Citation:&nbsp;SpecterOps&nbsp;Azure&nbsp;Privilege&nbsp;Escalation)&nbsp;&nbsp;&nbsp;In</span>&nbsp;AWS&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nvironments,&nbsp;adversaries&nbsp;with&nbsp;the&nbsp;appropriate&nbsp;permissions&nbsp;ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;also&nbsp;use&nbsp;the&nbsp;`sts:GetFederationToken`&nbsp;API&nbsp;call&nbsp;to&nbsp;create&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;temporary&nbsp;set&nbsp;of&nbsp;credentials&nbsp;tied&nbsp;to&nbsp;the&nbsp;permissions&nbsp;of&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;original&nbsp;user&nbsp;account.&nbsp;These&nbsp;credentials&nbsp;may&nbsp;remain&nbsp;valid&nbsp;f</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;the&nbsp;duration&nbsp;of&nbsp;their&nbsp;lifetime&nbsp;even&nbsp;if&nbsp;the&nbsp;original&nbsp;accou</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt\u2019s&nbsp;API&nbsp;credentials&nbsp;are&nbsp;deactivated.&nbsp;(Citation:&nbsp;Crowdstrike</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;AWS&nbsp;User&nbsp;Federation&nbsp;Persistence)</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -2009,7 +2009,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:37:41.250000+00:00\", \"old_value\": \"2023-04-14 22:48:50.142000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\\n(Citation: Microsoft O365 Admin Roles) \\n\\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\\n\\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\", \"old_value\": \"An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\\n(Citation: Microsoft O365 Admin Roles) \\n\\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\\n\\nFor example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal\\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\\n\\nSimilarly, an adversary with the Azure AD Global Administrator role can toggle the \\u201cAccess management for Azure resources\\u201d option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) \", \"diff\": \"--- \\n+++ \\n@@ -3,6 +3,4 @@\\n \\n This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\\n \\n-For example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal\\u2019s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\\n-\\n-Similarly, an adversary with the Azure AD Global Administrator role can toggle the \\u201cAccess management for Azure resources\\u201d option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) \\n+For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['x_mitre_contributors'][8]\": \"Arad Inbar, Fidelis Security\"}, \"iterable_item_removed\": {\"root['external_references'][3]\": {\"source_name\": \"SpecterOps Azure Privilege Escalation\", \"description\": \"Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.\", \"url\": \"https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5\"}, \"root['external_references'][7]\": {\"source_name\": \"Azure AD to AD\", \"description\": \"Sean Metcalf. (2020, May 27). From Azure AD to Active Directory (via Azure) \\u2013 An Unanticipated Attack Path. Retrieved September 28, 2022.\", \"url\": \"https://adsecurity.org/?p=4277\"}}}",
                     "previous_version": "2.2",
                     "version_change": "2.2 \u2192 2.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to32__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to32__0\"><a href=\"#difflib_chg_to32__top\">t</a></td><td class=\"diff_header\" id=\"from32_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">An&nbsp;adversary&nbsp;may&nbsp;add&nbsp;additional&nbsp;roles&nbsp;or&nbsp;permissions&nbsp;to&nbsp;an&nbsp;a</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to32__top\">t</a></td><td class=\"diff_header\" id=\"to32_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">An&nbsp;adversary&nbsp;may&nbsp;add&nbsp;additional&nbsp;roles&nbsp;or&nbsp;permissions&nbsp;to&nbsp;an&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dversary-controlled&nbsp;cloud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;acc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dversary-controlled&nbsp;cloud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;acc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ess&nbsp;to&nbsp;a&nbsp;tenant.&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;update&nbsp;IAM&nbsp;pol</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ess&nbsp;to&nbsp;a&nbsp;tenant.&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;update&nbsp;IAM&nbsp;pol</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">icies&nbsp;in&nbsp;cloud-based&nbsp;environments&nbsp;or&nbsp;add&nbsp;a&nbsp;new&nbsp;global&nbsp;admini</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">icies&nbsp;in&nbsp;cloud-based&nbsp;environments&nbsp;or&nbsp;add&nbsp;a&nbsp;new&nbsp;global&nbsp;admini</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">strator&nbsp;in&nbsp;Office&nbsp;365&nbsp;environments.(Citation:&nbsp;AWS&nbsp;IAM&nbsp;Polici</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">strator&nbsp;in&nbsp;Office&nbsp;365&nbsp;environments.(Citation:&nbsp;AWS&nbsp;IAM&nbsp;Polici</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;and&nbsp;Permissions)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;IAM&nbsp;Policies)(Cit</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">es&nbsp;and&nbsp;Permissions)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;IAM&nbsp;Policies)(Cit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ation:&nbsp;Microsoft&nbsp;Support&nbsp;O365&nbsp;Add&nbsp;Another&nbsp;Admin,&nbsp;October&nbsp;201</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ation:&nbsp;Microsoft&nbsp;Support&nbsp;O365&nbsp;Add&nbsp;Another&nbsp;Admin,&nbsp;October&nbsp;201</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">9)(Citation:&nbsp;Microsoft&nbsp;O365&nbsp;Admin&nbsp;Roles)&nbsp;With&nbsp;sufficient&nbsp;per</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">9)(Citation:&nbsp;Microsoft&nbsp;O365&nbsp;Admin&nbsp;Roles)&nbsp;With&nbsp;sufficient&nbsp;per</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">missions,&nbsp;a&nbsp;compromised&nbsp;account&nbsp;can&nbsp;gain&nbsp;almost&nbsp;unlimited&nbsp;ac</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">missions,&nbsp;a&nbsp;compromised&nbsp;account&nbsp;can&nbsp;gain&nbsp;almost&nbsp;unlimited&nbsp;ac</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cess&nbsp;to&nbsp;data&nbsp;and&nbsp;settings&nbsp;(including&nbsp;the&nbsp;ability&nbsp;to&nbsp;reset&nbsp;th</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cess&nbsp;to&nbsp;data&nbsp;and&nbsp;settings&nbsp;(including&nbsp;the&nbsp;ability&nbsp;to&nbsp;reset&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;passwords&nbsp;of&nbsp;other&nbsp;admins).(Citation:&nbsp;Expel&nbsp;AWS&nbsp;Attacker)&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;passwords&nbsp;of&nbsp;other&nbsp;admins).(Citation:&nbsp;Expel&nbsp;AWS&nbsp;Attacker)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(Citation:&nbsp;Microsoft&nbsp;O365&nbsp;Admin&nbsp;Roles)&nbsp;&nbsp;&nbsp;This&nbsp;account&nbsp;modifi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(Citation:&nbsp;Microsoft&nbsp;O365&nbsp;Admin&nbsp;Roles)&nbsp;&nbsp;&nbsp;This&nbsp;account&nbsp;modifi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cation&nbsp;may&nbsp;immediately&nbsp;follow&nbsp;[Create&nbsp;Account](https://attac</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cation&nbsp;may&nbsp;immediately&nbsp;follow&nbsp;[Create&nbsp;Account](https://attac</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">k.mitre.org/techniques/T1136)&nbsp;or&nbsp;other&nbsp;malicious&nbsp;account&nbsp;act</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">k.mitre.org/techniques/T1136)&nbsp;or&nbsp;other&nbsp;malicious&nbsp;account&nbsp;act</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ivity.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;modify&nbsp;existing&nbsp;[Valid&nbsp;Accounts]</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ivity.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;modify&nbsp;existing&nbsp;[Valid&nbsp;Accounts]</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(https://attack.mitre.org/techniques/T1078)&nbsp;that&nbsp;they&nbsp;have&nbsp;c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(https://attack.mitre.org/techniques/T1078)&nbsp;that&nbsp;they&nbsp;have&nbsp;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ompromised.&nbsp;This&nbsp;could&nbsp;lead&nbsp;to&nbsp;privilege&nbsp;escalation,&nbsp;particu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ompromised.&nbsp;This&nbsp;could&nbsp;lead&nbsp;to&nbsp;privilege&nbsp;escalation,&nbsp;particu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">larly&nbsp;if&nbsp;the&nbsp;roles&nbsp;added&nbsp;allow&nbsp;for&nbsp;lateral&nbsp;movement&nbsp;to&nbsp;addit</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">larly&nbsp;if&nbsp;the&nbsp;roles&nbsp;added&nbsp;allow&nbsp;for&nbsp;lateral&nbsp;movement&nbsp;to&nbsp;addit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ional&nbsp;accounts.&nbsp;&nbsp;For&nbsp;example,&nbsp;in&nbsp;Azure&nbsp;AD&nbsp;environments,&nbsp;an&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ional&nbsp;accounts.&nbsp;&nbsp;For&nbsp;example,&nbsp;in&nbsp;AWS&nbsp;environments,&nbsp;an&nbsp;advers</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dversary&nbsp;with&nbsp;the&nbsp;Application&nbsp;Administrator&nbsp;role&nbsp;can&nbsp;add&nbsp;[Ad</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ary&nbsp;with&nbsp;appropriate&nbsp;permissions&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;use&nbsp;the&nbsp;&lt;cod</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ditional&nbsp;Cloud&nbsp;Credentials](https://attack.mitre.org/techniq</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&gt;CreatePolicyVersion&lt;/code&gt;&nbsp;API&nbsp;to&nbsp;define&nbsp;a&nbsp;new&nbsp;version&nbsp;of&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ues/T1098/001)&nbsp;to&nbsp;their&nbsp;application's&nbsp;service&nbsp;principal.&nbsp;In&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">an&nbsp;IAM&nbsp;policy&nbsp;or&nbsp;the&nbsp;&lt;code&gt;AttachUserPolicy&lt;/code&gt;&nbsp;API&nbsp;to&nbsp;at</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">doing&nbsp;so&nbsp;the&nbsp;adversary&nbsp;would&nbsp;be&nbsp;able&nbsp;to&nbsp;gain&nbsp;the&nbsp;service&nbsp;pri</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tach&nbsp;an&nbsp;IAM&nbsp;policy&nbsp;with&nbsp;additional&nbsp;or&nbsp;distinct&nbsp;permissions&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ncipal\u2019s&nbsp;roles&nbsp;and&nbsp;permissions,&nbsp;which&nbsp;may&nbsp;be&nbsp;different&nbsp;from&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;a&nbsp;compromised&nbsp;user&nbsp;account.(Citation:&nbsp;Rhino&nbsp;Security&nbsp;Labs&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">those&nbsp;of&nbsp;the&nbsp;Application&nbsp;Administrator.(Citation:&nbsp;SpecterOps</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">AWS&nbsp;Privilege&nbsp;Escalation)</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Azure&nbsp;Privilege&nbsp;Escalation)&nbsp;Similarly,&nbsp;in&nbsp;AWS&nbsp;environments,</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;an&nbsp;adversary&nbsp;with&nbsp;appropriate&nbsp;permissions&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;us</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;the&nbsp;&lt;code&gt;CreatePolicyVersion&lt;/code&gt;&nbsp;API&nbsp;to&nbsp;define&nbsp;a&nbsp;new&nbsp;v</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ersion&nbsp;of&nbsp;an&nbsp;IAM&nbsp;policy&nbsp;or&nbsp;the&nbsp;&lt;code&gt;AttachUserPolicy&lt;/code&gt;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;API&nbsp;to&nbsp;attach&nbsp;an&nbsp;IAM&nbsp;policy&nbsp;with&nbsp;additional&nbsp;or&nbsp;distinct&nbsp;per</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">missions&nbsp;to&nbsp;a&nbsp;compromised&nbsp;user&nbsp;account.(Citation:&nbsp;Rhino&nbsp;Secu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rity&nbsp;Labs&nbsp;AWS&nbsp;Privilege&nbsp;Escalation)&nbsp;&nbsp;Similarly,&nbsp;an&nbsp;adversary</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;with&nbsp;the&nbsp;Azure&nbsp;AD&nbsp;Global&nbsp;Administrator&nbsp;role&nbsp;can&nbsp;toggle&nbsp;the&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">\u201cAccess&nbsp;management&nbsp;for&nbsp;Azure&nbsp;resources\u201d&nbsp;option&nbsp;to&nbsp;gain&nbsp;the&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">bility&nbsp;to&nbsp;assign&nbsp;privileged&nbsp;access&nbsp;to&nbsp;Azure&nbsp;subscriptions&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;virtual&nbsp;machines&nbsp;to&nbsp;Azure&nbsp;AD&nbsp;users,&nbsp;including&nbsp;themselves.(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Citation:&nbsp;Azure&nbsp;AD&nbsp;to&nbsp;AD)&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to25__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to25__0\"><a href=\"#difflib_chg_to25__top\">t</a></td><td class=\"diff_header\" id=\"from25_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">An&nbsp;adversary&nbsp;may&nbsp;add&nbsp;additional&nbsp;roles&nbsp;or&nbsp;permissions&nbsp;to&nbsp;an&nbsp;a</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to25__top\">t</a></td><td class=\"diff_header\" id=\"to25_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">An&nbsp;adversary&nbsp;may&nbsp;add&nbsp;additional&nbsp;roles&nbsp;or&nbsp;permissions&nbsp;to&nbsp;an&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dversary-controlled&nbsp;cloud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;acc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dversary-controlled&nbsp;cloud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistent&nbsp;acc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ess&nbsp;to&nbsp;a&nbsp;tenant.&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;update&nbsp;IAM&nbsp;pol</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ess&nbsp;to&nbsp;a&nbsp;tenant.&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;update&nbsp;IAM&nbsp;pol</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">icies&nbsp;in&nbsp;cloud-based&nbsp;environments&nbsp;or&nbsp;add&nbsp;a&nbsp;new&nbsp;global&nbsp;admini</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">icies&nbsp;in&nbsp;cloud-based&nbsp;environments&nbsp;or&nbsp;add&nbsp;a&nbsp;new&nbsp;global&nbsp;admini</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">strator&nbsp;in&nbsp;Office&nbsp;365&nbsp;environments.(Citation:&nbsp;AWS&nbsp;IAM&nbsp;Polici</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">strator&nbsp;in&nbsp;Office&nbsp;365&nbsp;environments.(Citation:&nbsp;AWS&nbsp;IAM&nbsp;Polici</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;and&nbsp;Permissions)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;IAM&nbsp;Policies)(Cit</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">es&nbsp;and&nbsp;Permissions)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;IAM&nbsp;Policies)(Cit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ation:&nbsp;Microsoft&nbsp;Support&nbsp;O365&nbsp;Add&nbsp;Another&nbsp;Admin,&nbsp;October&nbsp;201</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ation:&nbsp;Microsoft&nbsp;Support&nbsp;O365&nbsp;Add&nbsp;Another&nbsp;Admin,&nbsp;October&nbsp;201</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">9)(Citation:&nbsp;Microsoft&nbsp;O365&nbsp;Admin&nbsp;Roles)&nbsp;With&nbsp;sufficient&nbsp;per</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">9)(Citation:&nbsp;Microsoft&nbsp;O365&nbsp;Admin&nbsp;Roles)&nbsp;With&nbsp;sufficient&nbsp;per</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">missions,&nbsp;a&nbsp;compromised&nbsp;account&nbsp;can&nbsp;gain&nbsp;almost&nbsp;unlimited&nbsp;ac</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">missions,&nbsp;a&nbsp;compromised&nbsp;account&nbsp;can&nbsp;gain&nbsp;almost&nbsp;unlimited&nbsp;ac</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cess&nbsp;to&nbsp;data&nbsp;and&nbsp;settings&nbsp;(including&nbsp;the&nbsp;ability&nbsp;to&nbsp;reset&nbsp;th</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cess&nbsp;to&nbsp;data&nbsp;and&nbsp;settings&nbsp;(including&nbsp;the&nbsp;ability&nbsp;to&nbsp;reset&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;passwords&nbsp;of&nbsp;other&nbsp;admins).(Citation:&nbsp;Expel&nbsp;AWS&nbsp;Attacker)&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;passwords&nbsp;of&nbsp;other&nbsp;admins).(Citation:&nbsp;Expel&nbsp;AWS&nbsp;Attacker)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(Citation:&nbsp;Microsoft&nbsp;O365&nbsp;Admin&nbsp;Roles)&nbsp;&nbsp;&nbsp;This&nbsp;account&nbsp;modifi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(Citation:&nbsp;Microsoft&nbsp;O365&nbsp;Admin&nbsp;Roles)&nbsp;&nbsp;&nbsp;This&nbsp;account&nbsp;modifi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cation&nbsp;may&nbsp;immediately&nbsp;follow&nbsp;[Create&nbsp;Account](https://attac</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cation&nbsp;may&nbsp;immediately&nbsp;follow&nbsp;[Create&nbsp;Account](https://attac</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">k.mitre.org/techniques/T1136)&nbsp;or&nbsp;other&nbsp;malicious&nbsp;account&nbsp;act</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">k.mitre.org/techniques/T1136)&nbsp;or&nbsp;other&nbsp;malicious&nbsp;account&nbsp;act</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ivity.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;modify&nbsp;existing&nbsp;[Valid&nbsp;Accounts]</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ivity.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;modify&nbsp;existing&nbsp;[Valid&nbsp;Accounts]</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(https://attack.mitre.org/techniques/T1078)&nbsp;that&nbsp;they&nbsp;have&nbsp;c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(https://attack.mitre.org/techniques/T1078)&nbsp;that&nbsp;they&nbsp;have&nbsp;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ompromised.&nbsp;This&nbsp;could&nbsp;lead&nbsp;to&nbsp;privilege&nbsp;escalation,&nbsp;particu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ompromised.&nbsp;This&nbsp;could&nbsp;lead&nbsp;to&nbsp;privilege&nbsp;escalation,&nbsp;particu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">larly&nbsp;if&nbsp;the&nbsp;roles&nbsp;added&nbsp;allow&nbsp;for&nbsp;lateral&nbsp;movement&nbsp;to&nbsp;addit</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">larly&nbsp;if&nbsp;the&nbsp;roles&nbsp;added&nbsp;allow&nbsp;for&nbsp;lateral&nbsp;movement&nbsp;to&nbsp;addit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ional&nbsp;accounts.&nbsp;&nbsp;For&nbsp;example,&nbsp;in&nbsp;Azure&nbsp;AD&nbsp;environments,&nbsp;an&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ional&nbsp;accounts.&nbsp;&nbsp;For&nbsp;example,&nbsp;in&nbsp;AWS&nbsp;environments,&nbsp;an&nbsp;advers</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dversary&nbsp;with&nbsp;the&nbsp;Application&nbsp;Administrator&nbsp;role&nbsp;can&nbsp;add&nbsp;[Ad</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ary&nbsp;with&nbsp;appropriate&nbsp;permissions&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;use&nbsp;the&nbsp;&lt;cod</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ditional&nbsp;Cloud&nbsp;Credentials](https://attack.mitre.org/techniq</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&gt;CreatePolicyVersion&lt;/code&gt;&nbsp;API&nbsp;to&nbsp;define&nbsp;a&nbsp;new&nbsp;version&nbsp;of&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ues/T1098/001)&nbsp;to&nbsp;their&nbsp;application's&nbsp;service&nbsp;principal.&nbsp;In&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">an&nbsp;IAM&nbsp;policy&nbsp;or&nbsp;the&nbsp;&lt;code&gt;AttachUserPolicy&lt;/code&gt;&nbsp;API&nbsp;to&nbsp;at</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">doing&nbsp;so&nbsp;the&nbsp;adversary&nbsp;would&nbsp;be&nbsp;able&nbsp;to&nbsp;gain&nbsp;the&nbsp;service&nbsp;pri</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tach&nbsp;an&nbsp;IAM&nbsp;policy&nbsp;with&nbsp;additional&nbsp;or&nbsp;distinct&nbsp;permissions&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ncipal\u2019s&nbsp;roles&nbsp;and&nbsp;permissions,&nbsp;which&nbsp;may&nbsp;be&nbsp;different&nbsp;from&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;a&nbsp;compromised&nbsp;user&nbsp;account.(Citation:&nbsp;Rhino&nbsp;Security&nbsp;Labs&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">those&nbsp;of&nbsp;the&nbsp;Application&nbsp;Administrator.(Citation:&nbsp;SpecterOps</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">AWS&nbsp;Privilege&nbsp;Escalation)</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Azure&nbsp;Privilege&nbsp;Escalation)&nbsp;Similarly,&nbsp;in&nbsp;AWS&nbsp;environments,</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;an&nbsp;adversary&nbsp;with&nbsp;appropriate&nbsp;permissions&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;us</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;the&nbsp;&lt;code&gt;CreatePolicyVersion&lt;/code&gt;&nbsp;API&nbsp;to&nbsp;define&nbsp;a&nbsp;new&nbsp;v</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ersion&nbsp;of&nbsp;an&nbsp;IAM&nbsp;policy&nbsp;or&nbsp;the&nbsp;&lt;code&gt;AttachUserPolicy&lt;/code&gt;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;API&nbsp;to&nbsp;attach&nbsp;an&nbsp;IAM&nbsp;policy&nbsp;with&nbsp;additional&nbsp;or&nbsp;distinct&nbsp;per</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">missions&nbsp;to&nbsp;a&nbsp;compromised&nbsp;user&nbsp;account.(Citation:&nbsp;Rhino&nbsp;Secu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rity&nbsp;Labs&nbsp;AWS&nbsp;Privilege&nbsp;Escalation)&nbsp;&nbsp;Similarly,&nbsp;an&nbsp;adversary</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;with&nbsp;the&nbsp;Azure&nbsp;AD&nbsp;Global&nbsp;Administrator&nbsp;role&nbsp;can&nbsp;toggle&nbsp;the&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">\u201cAccess&nbsp;management&nbsp;for&nbsp;Azure&nbsp;resources\u201d&nbsp;option&nbsp;to&nbsp;gain&nbsp;the&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">bility&nbsp;to&nbsp;assign&nbsp;privileged&nbsp;access&nbsp;to&nbsp;Azure&nbsp;subscriptions&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;virtual&nbsp;machines&nbsp;to&nbsp;Azure&nbsp;AD&nbsp;users,&nbsp;including&nbsp;themselves.(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Citation:&nbsp;Azure&nbsp;AD&nbsp;to&nbsp;AD)&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -2347,7 +2347,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 17:38:21.121000+00:00\", \"old_value\": \"2023-04-12 23:28:34.599000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system\\u2019s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value \\u201cyes\\u201d to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.\\n\\nAdversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\\u2019s \\u201cadd-metadata\\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.\\n\\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \\n\\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)\", \"old_value\": \"Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system\\u2019s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value \\u201cyes\\u201d to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.\\n\\nAdversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\\u2019s \\u201cadd-metadata\\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) \\n\\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \\n\\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system\\u2019s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value \\u201cyes\\u201d to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.\\n \\n-Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\\u2019s \\u201cadd-metadata\\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) \\n+Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\\u2019s \\u201cadd-metadata\\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.\\n \\n Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['kill_chain_phases'][1]\": {\"kill_chain_name\": \"mitre-attack\", \"phase_name\": \"privilege-escalation\"}, \"root['x_mitre_contributors'][4]\": \"Arad Inbar, Fidelis Security\"}}",
                     "previous_version": "1.2",
                     "version_change": "1.2 \u2192 1.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to28__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to28__0\"><a href=\"#difflib_chg_to28__top\">t</a></td><td class=\"diff_header\" id=\"from28_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;modify&nbsp;the&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to28__top\">t</a></td><td class=\"diff_header\" id=\"to28_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;modify&nbsp;the&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">file&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;on&nbsp;a&nbsp;victim&nbsp;host.&nbsp;Linux&nbsp;distrib</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">file&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;on&nbsp;a&nbsp;victim&nbsp;host.&nbsp;Linux&nbsp;distrib</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">utions&nbsp;and&nbsp;macOS&nbsp;commonly&nbsp;use&nbsp;key-based&nbsp;authentication&nbsp;to&nbsp;se</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">utions&nbsp;and&nbsp;macOS&nbsp;commonly&nbsp;use&nbsp;key-based&nbsp;authentication&nbsp;to&nbsp;se</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cure&nbsp;the&nbsp;authentication&nbsp;process&nbsp;of&nbsp;SSH&nbsp;sessions&nbsp;for&nbsp;remote&nbsp;m</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cure&nbsp;the&nbsp;authentication&nbsp;process&nbsp;of&nbsp;SSH&nbsp;sessions&nbsp;for&nbsp;remote&nbsp;m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">anagement.&nbsp;The&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;file&nbsp;in&nbsp;SSH&nbsp;spec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">anagement.&nbsp;The&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;file&nbsp;in&nbsp;SSH&nbsp;spec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ifies&nbsp;the&nbsp;SSH&nbsp;keys&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;for&nbsp;logging&nbsp;into&nbsp;the&nbsp;use</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ifies&nbsp;the&nbsp;SSH&nbsp;keys&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;for&nbsp;logging&nbsp;into&nbsp;the&nbsp;use</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;account&nbsp;for&nbsp;which&nbsp;the&nbsp;file&nbsp;is&nbsp;configured.&nbsp;This&nbsp;file&nbsp;is&nbsp;usu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;account&nbsp;for&nbsp;which&nbsp;the&nbsp;file&nbsp;is&nbsp;configured.&nbsp;This&nbsp;file&nbsp;is&nbsp;usu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;found&nbsp;in&nbsp;the&nbsp;user's&nbsp;home&nbsp;directory&nbsp;under&nbsp;&lt;code&gt;&amp;lt;user</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;found&nbsp;in&nbsp;the&nbsp;user's&nbsp;home&nbsp;directory&nbsp;under&nbsp;&lt;code&gt;&amp;lt;user</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">-home&amp;gt;/.ssh/authorized_keys&lt;/code&gt;.(Citation:&nbsp;SSH&nbsp;Authori</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">-home&amp;gt;/.ssh/authorized_keys&lt;/code&gt;.(Citation:&nbsp;SSH&nbsp;Authori</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">zed&nbsp;Keys)&nbsp;Users&nbsp;may&nbsp;edit&nbsp;the&nbsp;system\u2019s&nbsp;SSH&nbsp;config&nbsp;file&nbsp;to&nbsp;mod</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">zed&nbsp;Keys)&nbsp;Users&nbsp;may&nbsp;edit&nbsp;the&nbsp;system\u2019s&nbsp;SSH&nbsp;config&nbsp;file&nbsp;to&nbsp;mod</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ify&nbsp;the&nbsp;directives&nbsp;PubkeyAuthentication&nbsp;and&nbsp;RSAAuthenticatio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ify&nbsp;the&nbsp;directives&nbsp;PubkeyAuthentication&nbsp;and&nbsp;RSAAuthenticatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;to&nbsp;the&nbsp;value&nbsp;\u201cyes\u201d&nbsp;to&nbsp;ensure&nbsp;public&nbsp;key&nbsp;and&nbsp;RSA&nbsp;authentica</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;to&nbsp;the&nbsp;value&nbsp;\u201cyes\u201d&nbsp;to&nbsp;ensure&nbsp;public&nbsp;key&nbsp;and&nbsp;RSA&nbsp;authentica</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;are&nbsp;enabled.&nbsp;The&nbsp;SSH&nbsp;config&nbsp;file&nbsp;is&nbsp;usually&nbsp;located&nbsp;und</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;are&nbsp;enabled.&nbsp;The&nbsp;SSH&nbsp;config&nbsp;file&nbsp;is&nbsp;usually&nbsp;located&nbsp;und</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;&lt;code&gt;/etc/ssh/sshd_config&lt;/code&gt;.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;modif</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;&lt;code&gt;/etc/ssh/sshd_config&lt;/code&gt;.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;modif</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;files&nbsp;directly&nbsp;with&nbsp;scrip</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;files&nbsp;directly&nbsp;with&nbsp;scrip</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ts&nbsp;or&nbsp;shell&nbsp;commands&nbsp;to&nbsp;add&nbsp;their&nbsp;own&nbsp;adversary-supplied&nbsp;pub</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ts&nbsp;or&nbsp;shell&nbsp;commands&nbsp;to&nbsp;add&nbsp;their&nbsp;own&nbsp;adversary-supplied&nbsp;pub</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lic&nbsp;keys.&nbsp;In&nbsp;cloud&nbsp;environments,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lic&nbsp;keys.&nbsp;In&nbsp;cloud&nbsp;environments,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">modify&nbsp;the&nbsp;SSH&nbsp;authorized_keys&nbsp;file&nbsp;of&nbsp;a&nbsp;particular&nbsp;virtual&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">modify&nbsp;the&nbsp;SSH&nbsp;authorized_keys&nbsp;file&nbsp;of&nbsp;a&nbsp;particular&nbsp;virtual&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">machine&nbsp;via&nbsp;the&nbsp;command&nbsp;line&nbsp;interface&nbsp;or&nbsp;rest&nbsp;API.&nbsp;For&nbsp;exam</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">machine&nbsp;via&nbsp;the&nbsp;command&nbsp;line&nbsp;interface&nbsp;or&nbsp;rest&nbsp;API.&nbsp;For&nbsp;exam</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ple,&nbsp;by&nbsp;using&nbsp;the&nbsp;Google&nbsp;Cloud&nbsp;CLI\u2019s&nbsp;\u201cadd-metadata\u201d&nbsp;command&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ple,&nbsp;by&nbsp;using&nbsp;the&nbsp;Google&nbsp;Cloud&nbsp;CLI\u2019s&nbsp;\u201cadd-metadata\u201d&nbsp;command&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;adversary&nbsp;may&nbsp;add&nbsp;SSH&nbsp;keys&nbsp;to&nbsp;a&nbsp;user&nbsp;account.(Citation:&nbsp;G</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;adversary&nbsp;may&nbsp;add&nbsp;SSH&nbsp;keys&nbsp;to&nbsp;a&nbsp;user&nbsp;account.(Citation:&nbsp;G</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oogle&nbsp;Cloud&nbsp;Add&nbsp;Metadata)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;Privilege&nbsp;E</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oogle&nbsp;Cloud&nbsp;Add&nbsp;Metadata)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;Privilege&nbsp;E</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">scalation)&nbsp;Similarly,&nbsp;in&nbsp;Azure,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;update&nbsp;the&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">scalation)&nbsp;Similarly,&nbsp;in&nbsp;Azure,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;update&nbsp;the&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">authorized_keys&nbsp;file&nbsp;of&nbsp;a&nbsp;virtual&nbsp;machine&nbsp;via&nbsp;a&nbsp;PATCH&nbsp;reques</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">authorized_keys&nbsp;file&nbsp;of&nbsp;a&nbsp;virtual&nbsp;machine&nbsp;via&nbsp;a&nbsp;PATCH&nbsp;reques</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;to&nbsp;the&nbsp;API.(Citation:&nbsp;Azure&nbsp;Update&nbsp;Virtual&nbsp;Machines)&nbsp;This&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;to&nbsp;the&nbsp;API.(Citation:&nbsp;Azure&nbsp;Update&nbsp;Virtual&nbsp;Machines)&nbsp;This&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ensures&nbsp;that&nbsp;an&nbsp;adversary&nbsp;possessing&nbsp;the&nbsp;corresponding&nbsp;priva</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ensures&nbsp;that&nbsp;an&nbsp;adversary&nbsp;possessing&nbsp;the&nbsp;corresponding&nbsp;priva</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">te&nbsp;key&nbsp;may&nbsp;log&nbsp;in&nbsp;as&nbsp;an&nbsp;existing&nbsp;user&nbsp;via&nbsp;SSH.(Citation:&nbsp;Ven</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">te&nbsp;key&nbsp;may&nbsp;log&nbsp;in&nbsp;as&nbsp;an&nbsp;existing&nbsp;user&nbsp;via&nbsp;SSH.(Citation:&nbsp;Ven</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">afi&nbsp;SSH&nbsp;Key&nbsp;Abuse)(Citation:&nbsp;Cybereason&nbsp;Linux&nbsp;Exim&nbsp;Worm)&nbsp;&nbsp;&nbsp;W</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">afi&nbsp;SSH&nbsp;Key&nbsp;Abuse)(Citation:&nbsp;Cybereason&nbsp;Linux&nbsp;Exim&nbsp;Worm)&nbsp;<span class=\"diff_add\">It&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">here&nbsp;authorized_keys&nbsp;files&nbsp;are&nbsp;modified&nbsp;via&nbsp;cloud&nbsp;APIs&nbsp;or&nbsp;co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">may&nbsp;also&nbsp;lead&nbsp;to&nbsp;privilege&nbsp;escalation&nbsp;where&nbsp;the&nbsp;virtual&nbsp;mach</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mmand&nbsp;line&nbsp;interfaces,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;achieve&nbsp;privilege&nbsp;es</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ine&nbsp;or&nbsp;instance&nbsp;has&nbsp;distinct&nbsp;permissions&nbsp;from&nbsp;the&nbsp;requesting</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">calation&nbsp;on&nbsp;the&nbsp;target&nbsp;virtual&nbsp;machine&nbsp;if&nbsp;they&nbsp;add&nbsp;a&nbsp;key&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;user.</span>&nbsp;&nbsp;Where&nbsp;authorized_keys&nbsp;files&nbsp;are&nbsp;modified&nbsp;via&nbsp;cloud&nbsp;A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">a&nbsp;higher-privileged&nbsp;user.&nbsp;&nbsp;&nbsp;SSH&nbsp;keys&nbsp;can&nbsp;also&nbsp;be&nbsp;added&nbsp;to&nbsp;ac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">PIs&nbsp;or&nbsp;command&nbsp;line&nbsp;interfaces,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;achieve&nbsp;pri</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">counts&nbsp;on&nbsp;network&nbsp;devices,&nbsp;such&nbsp;as&nbsp;with&nbsp;the&nbsp;`ip&nbsp;ssh&nbsp;pubkey-c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">vilege&nbsp;escalation&nbsp;on&nbsp;the&nbsp;target&nbsp;virtual&nbsp;machine&nbsp;if&nbsp;they&nbsp;add&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hain`&nbsp;[Network&nbsp;Device&nbsp;CLI](https://attack.mitre.org/techniqu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">a&nbsp;key&nbsp;to&nbsp;a&nbsp;higher-privileged&nbsp;user.&nbsp;&nbsp;&nbsp;SSH&nbsp;keys&nbsp;can&nbsp;also&nbsp;be&nbsp;ad</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es/T1059/008)&nbsp;command.(Citation:&nbsp;cisco_ip_ssh_pubkey_ch_cmd)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ded&nbsp;to&nbsp;accounts&nbsp;on&nbsp;network&nbsp;devices,&nbsp;such&nbsp;as&nbsp;with&nbsp;the&nbsp;`ip&nbsp;ssh</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;pubkey-chain`&nbsp;[Network&nbsp;Device&nbsp;CLI](https://attack.mitre.org</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/techniques/T1059/008)&nbsp;command.(Citation:&nbsp;cisco_ip_ssh_pubke</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y_ch_cmd)</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to19__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to19__0\"><a href=\"#difflib_chg_to19__top\">t</a></td><td class=\"diff_header\" id=\"from19_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;modify&nbsp;the&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to19__top\">t</a></td><td class=\"diff_header\" id=\"to19_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;modify&nbsp;the&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">file&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;on&nbsp;a&nbsp;victim&nbsp;host.&nbsp;Linux&nbsp;distrib</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">file&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;on&nbsp;a&nbsp;victim&nbsp;host.&nbsp;Linux&nbsp;distrib</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">utions&nbsp;and&nbsp;macOS&nbsp;commonly&nbsp;use&nbsp;key-based&nbsp;authentication&nbsp;to&nbsp;se</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">utions&nbsp;and&nbsp;macOS&nbsp;commonly&nbsp;use&nbsp;key-based&nbsp;authentication&nbsp;to&nbsp;se</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cure&nbsp;the&nbsp;authentication&nbsp;process&nbsp;of&nbsp;SSH&nbsp;sessions&nbsp;for&nbsp;remote&nbsp;m</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cure&nbsp;the&nbsp;authentication&nbsp;process&nbsp;of&nbsp;SSH&nbsp;sessions&nbsp;for&nbsp;remote&nbsp;m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">anagement.&nbsp;The&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;file&nbsp;in&nbsp;SSH&nbsp;spec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">anagement.&nbsp;The&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;file&nbsp;in&nbsp;SSH&nbsp;spec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ifies&nbsp;the&nbsp;SSH&nbsp;keys&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;for&nbsp;logging&nbsp;into&nbsp;the&nbsp;use</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ifies&nbsp;the&nbsp;SSH&nbsp;keys&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;for&nbsp;logging&nbsp;into&nbsp;the&nbsp;use</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;account&nbsp;for&nbsp;which&nbsp;the&nbsp;file&nbsp;is&nbsp;configured.&nbsp;This&nbsp;file&nbsp;is&nbsp;usu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;account&nbsp;for&nbsp;which&nbsp;the&nbsp;file&nbsp;is&nbsp;configured.&nbsp;This&nbsp;file&nbsp;is&nbsp;usu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;found&nbsp;in&nbsp;the&nbsp;user's&nbsp;home&nbsp;directory&nbsp;under&nbsp;&lt;code&gt;&amp;lt;user</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;found&nbsp;in&nbsp;the&nbsp;user's&nbsp;home&nbsp;directory&nbsp;under&nbsp;&lt;code&gt;&amp;lt;user</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">-home&amp;gt;/.ssh/authorized_keys&lt;/code&gt;.(Citation:&nbsp;SSH&nbsp;Authori</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">-home&amp;gt;/.ssh/authorized_keys&lt;/code&gt;.(Citation:&nbsp;SSH&nbsp;Authori</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">zed&nbsp;Keys)&nbsp;Users&nbsp;may&nbsp;edit&nbsp;the&nbsp;system\u2019s&nbsp;SSH&nbsp;config&nbsp;file&nbsp;to&nbsp;mod</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">zed&nbsp;Keys)&nbsp;Users&nbsp;may&nbsp;edit&nbsp;the&nbsp;system\u2019s&nbsp;SSH&nbsp;config&nbsp;file&nbsp;to&nbsp;mod</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ify&nbsp;the&nbsp;directives&nbsp;PubkeyAuthentication&nbsp;and&nbsp;RSAAuthenticatio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ify&nbsp;the&nbsp;directives&nbsp;PubkeyAuthentication&nbsp;and&nbsp;RSAAuthenticatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;to&nbsp;the&nbsp;value&nbsp;\u201cyes\u201d&nbsp;to&nbsp;ensure&nbsp;public&nbsp;key&nbsp;and&nbsp;RSA&nbsp;authentica</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;to&nbsp;the&nbsp;value&nbsp;\u201cyes\u201d&nbsp;to&nbsp;ensure&nbsp;public&nbsp;key&nbsp;and&nbsp;RSA&nbsp;authentica</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;are&nbsp;enabled.&nbsp;The&nbsp;SSH&nbsp;config&nbsp;file&nbsp;is&nbsp;usually&nbsp;located&nbsp;und</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;are&nbsp;enabled.&nbsp;The&nbsp;SSH&nbsp;config&nbsp;file&nbsp;is&nbsp;usually&nbsp;located&nbsp;und</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;&lt;code&gt;/etc/ssh/sshd_config&lt;/code&gt;.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;modif</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;&lt;code&gt;/etc/ssh/sshd_config&lt;/code&gt;.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;modif</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;files&nbsp;directly&nbsp;with&nbsp;scrip</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;SSH&nbsp;&lt;code&gt;authorized_keys&lt;/code&gt;&nbsp;files&nbsp;directly&nbsp;with&nbsp;scrip</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ts&nbsp;or&nbsp;shell&nbsp;commands&nbsp;to&nbsp;add&nbsp;their&nbsp;own&nbsp;adversary-supplied&nbsp;pub</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ts&nbsp;or&nbsp;shell&nbsp;commands&nbsp;to&nbsp;add&nbsp;their&nbsp;own&nbsp;adversary-supplied&nbsp;pub</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lic&nbsp;keys.&nbsp;In&nbsp;cloud&nbsp;environments,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lic&nbsp;keys.&nbsp;In&nbsp;cloud&nbsp;environments,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">modify&nbsp;the&nbsp;SSH&nbsp;authorized_keys&nbsp;file&nbsp;of&nbsp;a&nbsp;particular&nbsp;virtual&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">modify&nbsp;the&nbsp;SSH&nbsp;authorized_keys&nbsp;file&nbsp;of&nbsp;a&nbsp;particular&nbsp;virtual&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">machine&nbsp;via&nbsp;the&nbsp;command&nbsp;line&nbsp;interface&nbsp;or&nbsp;rest&nbsp;API.&nbsp;For&nbsp;exam</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">machine&nbsp;via&nbsp;the&nbsp;command&nbsp;line&nbsp;interface&nbsp;or&nbsp;rest&nbsp;API.&nbsp;For&nbsp;exam</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ple,&nbsp;by&nbsp;using&nbsp;the&nbsp;Google&nbsp;Cloud&nbsp;CLI\u2019s&nbsp;\u201cadd-metadata\u201d&nbsp;command&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ple,&nbsp;by&nbsp;using&nbsp;the&nbsp;Google&nbsp;Cloud&nbsp;CLI\u2019s&nbsp;\u201cadd-metadata\u201d&nbsp;command&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;adversary&nbsp;may&nbsp;add&nbsp;SSH&nbsp;keys&nbsp;to&nbsp;a&nbsp;user&nbsp;account.(Citation:&nbsp;G</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;adversary&nbsp;may&nbsp;add&nbsp;SSH&nbsp;keys&nbsp;to&nbsp;a&nbsp;user&nbsp;account.(Citation:&nbsp;G</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oogle&nbsp;Cloud&nbsp;Add&nbsp;Metadata)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;Privilege&nbsp;E</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oogle&nbsp;Cloud&nbsp;Add&nbsp;Metadata)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;Privilege&nbsp;E</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">scalation)&nbsp;Similarly,&nbsp;in&nbsp;Azure,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;update&nbsp;the&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">scalation)&nbsp;Similarly,&nbsp;in&nbsp;Azure,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;update&nbsp;the&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">authorized_keys&nbsp;file&nbsp;of&nbsp;a&nbsp;virtual&nbsp;machine&nbsp;via&nbsp;a&nbsp;PATCH&nbsp;reques</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">authorized_keys&nbsp;file&nbsp;of&nbsp;a&nbsp;virtual&nbsp;machine&nbsp;via&nbsp;a&nbsp;PATCH&nbsp;reques</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;to&nbsp;the&nbsp;API.(Citation:&nbsp;Azure&nbsp;Update&nbsp;Virtual&nbsp;Machines)&nbsp;This&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;to&nbsp;the&nbsp;API.(Citation:&nbsp;Azure&nbsp;Update&nbsp;Virtual&nbsp;Machines)&nbsp;This&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ensures&nbsp;that&nbsp;an&nbsp;adversary&nbsp;possessing&nbsp;the&nbsp;corresponding&nbsp;priva</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ensures&nbsp;that&nbsp;an&nbsp;adversary&nbsp;possessing&nbsp;the&nbsp;corresponding&nbsp;priva</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">te&nbsp;key&nbsp;may&nbsp;log&nbsp;in&nbsp;as&nbsp;an&nbsp;existing&nbsp;user&nbsp;via&nbsp;SSH.(Citation:&nbsp;Ven</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">te&nbsp;key&nbsp;may&nbsp;log&nbsp;in&nbsp;as&nbsp;an&nbsp;existing&nbsp;user&nbsp;via&nbsp;SSH.(Citation:&nbsp;Ven</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">afi&nbsp;SSH&nbsp;Key&nbsp;Abuse)(Citation:&nbsp;Cybereason&nbsp;Linux&nbsp;Exim&nbsp;Worm)&nbsp;&nbsp;&nbsp;W</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">afi&nbsp;SSH&nbsp;Key&nbsp;Abuse)(Citation:&nbsp;Cybereason&nbsp;Linux&nbsp;Exim&nbsp;Worm)&nbsp;<span class=\"diff_add\">It&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">here&nbsp;authorized_keys&nbsp;files&nbsp;are&nbsp;modified&nbsp;via&nbsp;cloud&nbsp;APIs&nbsp;or&nbsp;co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">may&nbsp;also&nbsp;lead&nbsp;to&nbsp;privilege&nbsp;escalation&nbsp;where&nbsp;the&nbsp;virtual&nbsp;mach</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mmand&nbsp;line&nbsp;interfaces,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;achieve&nbsp;privilege&nbsp;es</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ine&nbsp;or&nbsp;instance&nbsp;has&nbsp;distinct&nbsp;permissions&nbsp;from&nbsp;the&nbsp;requesting</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">calation&nbsp;on&nbsp;the&nbsp;target&nbsp;virtual&nbsp;machine&nbsp;if&nbsp;they&nbsp;add&nbsp;a&nbsp;key&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;user.</span>&nbsp;&nbsp;Where&nbsp;authorized_keys&nbsp;files&nbsp;are&nbsp;modified&nbsp;via&nbsp;cloud&nbsp;A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">a&nbsp;higher-privileged&nbsp;user.&nbsp;&nbsp;&nbsp;SSH&nbsp;keys&nbsp;can&nbsp;also&nbsp;be&nbsp;added&nbsp;to&nbsp;ac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">PIs&nbsp;or&nbsp;command&nbsp;line&nbsp;interfaces,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;achieve&nbsp;pri</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">counts&nbsp;on&nbsp;network&nbsp;devices,&nbsp;such&nbsp;as&nbsp;with&nbsp;the&nbsp;`ip&nbsp;ssh&nbsp;pubkey-c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">vilege&nbsp;escalation&nbsp;on&nbsp;the&nbsp;target&nbsp;virtual&nbsp;machine&nbsp;if&nbsp;they&nbsp;add&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hain`&nbsp;[Network&nbsp;Device&nbsp;CLI](https://attack.mitre.org/techniqu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">a&nbsp;key&nbsp;to&nbsp;a&nbsp;higher-privileged&nbsp;user.&nbsp;&nbsp;&nbsp;SSH&nbsp;keys&nbsp;can&nbsp;also&nbsp;be&nbsp;ad</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es/T1059/008)&nbsp;command.(Citation:&nbsp;cisco_ip_ssh_pubkey_ch_cmd)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ded&nbsp;to&nbsp;accounts&nbsp;on&nbsp;network&nbsp;devices,&nbsp;such&nbsp;as&nbsp;with&nbsp;the&nbsp;`ip&nbsp;ssh</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;pubkey-chain`&nbsp;[Network&nbsp;Device&nbsp;CLI](https://attack.mitre.org</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/techniques/T1059/008)&nbsp;command.(Citation:&nbsp;cisco_ip_ssh_pubke</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y_ch_cmd)</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -2453,7 +2453,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 01:10:09.833000+00:00\", \"old_value\": \"2023-03-02 21:34:46.139000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\\n\\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\", \"old_value\": \"Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\\n\\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\\n \\n-Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\\n+Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090), including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation: FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Mandiant APT29 Microsoft 365 2022\", \"description\": \"Douglas Bienstock. (2022, August 18). You Can\\u2019t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft\"}, \"root['external_references'][3]\": {\"source_name\": \"FBI Proxies Credential Stuffing\", \"description\": \"FBI. (2022, August 18). Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts . Retrieved July 6, 2023.\", \"url\": \"https://www.ic3.gov/Media/News/2022/220818.pdf\"}, \"root['x_mitre_contributors'][1]\": \"Goldstein Menachem\"}}",
                     "previous_version": "1.2",
                     "version_change": "1.2 \u2192 1.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to26__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to26__0\"><a href=\"#difflib_chg_to26__top\">t</a></td><td class=\"diff_header\" id=\"from26_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;buy,&nbsp;lease,&nbsp;or&nbsp;rent&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to26__top\">t</a></td><td class=\"diff_header\" id=\"to26_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;buy,&nbsp;lease,&nbsp;or&nbsp;rent&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;A&nbsp;wide&nbsp;variety&nbsp;of&nbsp;infrastructure&nbsp;e</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;A&nbsp;wide&nbsp;variety&nbsp;of&nbsp;infrastructure&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xists&nbsp;for&nbsp;hosting&nbsp;and&nbsp;orchestrating&nbsp;adversary&nbsp;operations.&nbsp;In</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xists&nbsp;for&nbsp;hosting&nbsp;and&nbsp;orchestrating&nbsp;adversary&nbsp;operations.&nbsp;In</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">frastructure&nbsp;solutions&nbsp;include&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;do</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">frastructure&nbsp;solutions&nbsp;include&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;do</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;services.(Citation:&nbsp;TrendmicroHid</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;services.(Citation:&nbsp;TrendmicroHid</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eoutsLease)&nbsp;Additionally,&nbsp;botnets&nbsp;are&nbsp;available&nbsp;for&nbsp;rent&nbsp;or&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eoutsLease)&nbsp;Additionally,&nbsp;botnets&nbsp;are&nbsp;available&nbsp;for&nbsp;rent&nbsp;or&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">purchase.&nbsp;&nbsp;Use&nbsp;of&nbsp;these&nbsp;infrastructure&nbsp;solutions&nbsp;allows&nbsp;adve</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">purchase.&nbsp;&nbsp;Use&nbsp;of&nbsp;these&nbsp;infrastructure&nbsp;solutions&nbsp;allows&nbsp;adve</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rsaries&nbsp;to&nbsp;stage,&nbsp;launch,&nbsp;and&nbsp;execute&nbsp;operations.&nbsp;Solutions&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rsaries&nbsp;to&nbsp;stage,&nbsp;launch,&nbsp;and&nbsp;execute&nbsp;operations.&nbsp;Solutions&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;help&nbsp;adversary&nbsp;operations&nbsp;blend&nbsp;in&nbsp;with&nbsp;traffic&nbsp;that&nbsp;is&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;help&nbsp;adversary&nbsp;operations&nbsp;blend&nbsp;in&nbsp;with&nbsp;traffic&nbsp;that&nbsp;is&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">seen&nbsp;as&nbsp;normal,&nbsp;such&nbsp;as&nbsp;contacting&nbsp;third-party&nbsp;web&nbsp;services&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">seen&nbsp;as&nbsp;normal,&nbsp;such&nbsp;as&nbsp;contacting&nbsp;third-party&nbsp;web&nbsp;services&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;acquiring&nbsp;infrastructure&nbsp;to&nbsp;support&nbsp;[Proxy](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;acquiring&nbsp;infrastructure&nbsp;to&nbsp;support&nbsp;[Proxy](https://attac</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1090).(Citation:&nbsp;amnesty_nso_pegasus</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1090)<span class=\"diff_add\">,&nbsp;including&nbsp;from&nbsp;residential&nbsp;pr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;Depending&nbsp;on&nbsp;the&nbsp;implementation,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;infra</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">oxy&nbsp;services</span>.(Citation:&nbsp;amnesty_nso_pegasus)<span class=\"diff_add\">(Citation:&nbsp;FBI&nbsp;P</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">structure&nbsp;that&nbsp;makes&nbsp;it&nbsp;difficult&nbsp;to&nbsp;physically&nbsp;tie&nbsp;back&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">roxies&nbsp;Credential&nbsp;Stuffing)(Citation:&nbsp;Mandiant&nbsp;APT29&nbsp;Microso</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">them&nbsp;as&nbsp;well&nbsp;as&nbsp;utilize&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;be&nbsp;rapidly&nbsp;p</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ft&nbsp;365&nbsp;2022)</span>&nbsp;Depending&nbsp;on&nbsp;the&nbsp;implementation,&nbsp;adversaries&nbsp;ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rovisioned,&nbsp;modified,&nbsp;and&nbsp;shut&nbsp;down.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;use&nbsp;infrastructure&nbsp;that&nbsp;makes&nbsp;it&nbsp;difficult&nbsp;to&nbsp;physically&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ie&nbsp;back&nbsp;to&nbsp;them&nbsp;as&nbsp;well&nbsp;as&nbsp;utilize&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;rapidly&nbsp;provisioned,&nbsp;modified,&nbsp;and&nbsp;shut&nbsp;down.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to5__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to5__0\"><a href=\"#difflib_chg_to5__top\">t</a></td><td class=\"diff_header\" id=\"from5_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;buy,&nbsp;lease,&nbsp;or&nbsp;rent&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to5__top\">t</a></td><td class=\"diff_header\" id=\"to5_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;buy,&nbsp;lease,&nbsp;or&nbsp;rent&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;A&nbsp;wide&nbsp;variety&nbsp;of&nbsp;infrastructure&nbsp;e</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;A&nbsp;wide&nbsp;variety&nbsp;of&nbsp;infrastructure&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xists&nbsp;for&nbsp;hosting&nbsp;and&nbsp;orchestrating&nbsp;adversary&nbsp;operations.&nbsp;In</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xists&nbsp;for&nbsp;hosting&nbsp;and&nbsp;orchestrating&nbsp;adversary&nbsp;operations.&nbsp;In</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">frastructure&nbsp;solutions&nbsp;include&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;do</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">frastructure&nbsp;solutions&nbsp;include&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;do</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;services.(Citation:&nbsp;TrendmicroHid</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;services.(Citation:&nbsp;TrendmicroHid</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eoutsLease)&nbsp;Additionally,&nbsp;botnets&nbsp;are&nbsp;available&nbsp;for&nbsp;rent&nbsp;or&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eoutsLease)&nbsp;Additionally,&nbsp;botnets&nbsp;are&nbsp;available&nbsp;for&nbsp;rent&nbsp;or&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">purchase.&nbsp;&nbsp;Use&nbsp;of&nbsp;these&nbsp;infrastructure&nbsp;solutions&nbsp;allows&nbsp;adve</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">purchase.&nbsp;&nbsp;Use&nbsp;of&nbsp;these&nbsp;infrastructure&nbsp;solutions&nbsp;allows&nbsp;adve</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rsaries&nbsp;to&nbsp;stage,&nbsp;launch,&nbsp;and&nbsp;execute&nbsp;operations.&nbsp;Solutions&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rsaries&nbsp;to&nbsp;stage,&nbsp;launch,&nbsp;and&nbsp;execute&nbsp;operations.&nbsp;Solutions&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;help&nbsp;adversary&nbsp;operations&nbsp;blend&nbsp;in&nbsp;with&nbsp;traffic&nbsp;that&nbsp;is&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;help&nbsp;adversary&nbsp;operations&nbsp;blend&nbsp;in&nbsp;with&nbsp;traffic&nbsp;that&nbsp;is&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">seen&nbsp;as&nbsp;normal,&nbsp;such&nbsp;as&nbsp;contacting&nbsp;third-party&nbsp;web&nbsp;services&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">seen&nbsp;as&nbsp;normal,&nbsp;such&nbsp;as&nbsp;contacting&nbsp;third-party&nbsp;web&nbsp;services&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;acquiring&nbsp;infrastructure&nbsp;to&nbsp;support&nbsp;[Proxy](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;acquiring&nbsp;infrastructure&nbsp;to&nbsp;support&nbsp;[Proxy](https://attac</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1090).(Citation:&nbsp;amnesty_nso_pegasus</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1090)<span class=\"diff_add\">,&nbsp;including&nbsp;from&nbsp;residential&nbsp;pr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;Depending&nbsp;on&nbsp;the&nbsp;implementation,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;infra</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">oxy&nbsp;services</span>.(Citation:&nbsp;amnesty_nso_pegasus)<span class=\"diff_add\">(Citation:&nbsp;FBI&nbsp;P</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">structure&nbsp;that&nbsp;makes&nbsp;it&nbsp;difficult&nbsp;to&nbsp;physically&nbsp;tie&nbsp;back&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">roxies&nbsp;Credential&nbsp;Stuffing)(Citation:&nbsp;Mandiant&nbsp;APT29&nbsp;Microso</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">them&nbsp;as&nbsp;well&nbsp;as&nbsp;utilize&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;be&nbsp;rapidly&nbsp;p</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ft&nbsp;365&nbsp;2022)</span>&nbsp;Depending&nbsp;on&nbsp;the&nbsp;implementation,&nbsp;adversaries&nbsp;ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rovisioned,&nbsp;modified,&nbsp;and&nbsp;shut&nbsp;down.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;use&nbsp;infrastructure&nbsp;that&nbsp;makes&nbsp;it&nbsp;difficult&nbsp;to&nbsp;physically&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ie&nbsp;back&nbsp;to&nbsp;them&nbsp;as&nbsp;well&nbsp;as&nbsp;utilize&nbsp;infrastructure&nbsp;that&nbsp;can&nbsp;b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;rapidly&nbsp;provisioned,&nbsp;modified,&nbsp;and&nbsp;shut&nbsp;down.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1056: Pre-compromise"
@@ -2572,7 +2572,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:27:50.792000+00:00\", \"old_value\": \"2023-03-30 21:01:37.568000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n\\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\\n\\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\", \"old_value\": \"Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n\\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\\n\\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n+Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n \\n For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}}",
                     "previous_version": "2.2",
                     "version_change": "2.2 \u2192 2.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to4__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to4__0\"><a href=\"#difflib_chg_to4__top\">t</a></td><td class=\"diff_header\" id=\"from4_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;position&nbsp;themselves&nbsp;between&nbsp;two&nbsp;o</td><td class=\"diff_next\"><a href=\"#difflib_chg_to4__top\">t</a></td><td class=\"diff_header\" id=\"to4_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;position&nbsp;themselves&nbsp;between&nbsp;two&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;more&nbsp;networked&nbsp;devices&nbsp;using&nbsp;an&nbsp;adversary-in-the-middle&nbsp;(A</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;more&nbsp;networked&nbsp;devices&nbsp;using&nbsp;an&nbsp;adversary-in-the-middle&nbsp;(A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">iTM)&nbsp;technique&nbsp;to&nbsp;support&nbsp;follow-on&nbsp;behaviors&nbsp;such&nbsp;as&nbsp;[Netwo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">iTM)&nbsp;technique&nbsp;to&nbsp;support&nbsp;follow-on&nbsp;behaviors&nbsp;such&nbsp;as&nbsp;[Netwo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rk&nbsp;Sniffing](https://attack.mitre.org/techniques/T1040)<span class=\"diff_chg\">&nbsp;or</span>&nbsp;[</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rk&nbsp;Sniffing](https://attack.mitre.org/techniques/T1040)<span class=\"diff_chg\">,</span>&nbsp;[Tr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Transmitted&nbsp;Data&nbsp;Manipulation](https://attack.mitre.org/tech</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ansmitted&nbsp;Data&nbsp;Manipulation](https://attack.mitre.org/techni</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">niques/T1565/002)<span class=\"diff_chg\">.</span>&nbsp;By&nbsp;abusing&nbsp;features&nbsp;of&nbsp;common&nbsp;networking&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ques/T1565/002)<span class=\"diff_chg\">,&nbsp;or&nbsp;replay&nbsp;attacks&nbsp;([Exploitation&nbsp;for&nbsp;Creden</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">protocols&nbsp;that&nbsp;can&nbsp;determine&nbsp;the&nbsp;flow&nbsp;of&nbsp;network&nbsp;traffic&nbsp;(e.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">tial&nbsp;Access](https://attack.mitre.org/techniques/T1212)).</span>&nbsp;By</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g.&nbsp;ARP,&nbsp;DNS,&nbsp;LLMNR,&nbsp;etc.),&nbsp;adversaries&nbsp;may&nbsp;force&nbsp;a&nbsp;device&nbsp;to</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;abusing&nbsp;features&nbsp;of&nbsp;common&nbsp;networking&nbsp;protocols&nbsp;that&nbsp;can&nbsp;de</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;communicate&nbsp;through&nbsp;an&nbsp;adversary&nbsp;controlled&nbsp;system&nbsp;so&nbsp;they&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">termine&nbsp;the&nbsp;flow&nbsp;of&nbsp;network&nbsp;traffic&nbsp;(e.g.&nbsp;ARP,&nbsp;DNS,&nbsp;LLMNR,&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">can&nbsp;collect&nbsp;information&nbsp;or&nbsp;perform&nbsp;additional&nbsp;actions.(Citat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tc.),&nbsp;adversaries&nbsp;may&nbsp;force&nbsp;a&nbsp;device&nbsp;to&nbsp;communicate&nbsp;through&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;Rapid7&nbsp;MiTM&nbsp;Basics)&nbsp;&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;manip</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;adversary&nbsp;controlled&nbsp;system&nbsp;so&nbsp;they&nbsp;can&nbsp;collect&nbsp;informati</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ulate&nbsp;victim&nbsp;DNS&nbsp;settings&nbsp;to&nbsp;enable&nbsp;other&nbsp;malicious&nbsp;activiti</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">on&nbsp;or&nbsp;perform&nbsp;additional&nbsp;actions.(Citation:&nbsp;Rapid7&nbsp;MiTM&nbsp;Basi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es&nbsp;such&nbsp;as&nbsp;preventing/redirecting&nbsp;users&nbsp;from&nbsp;accessing&nbsp;legit</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cs)&nbsp;&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;manipulate&nbsp;victim&nbsp;DNS&nbsp;sett</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">imate&nbsp;sites&nbsp;and/or&nbsp;pushing&nbsp;additional&nbsp;malware.(Citation:&nbsp;tti</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ings&nbsp;to&nbsp;enable&nbsp;other&nbsp;malicious&nbsp;activities&nbsp;such&nbsp;as&nbsp;preventing</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt_rat)(Citation:&nbsp;dns_changer_trojans)(Citation:&nbsp;ad_blocker_</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/redirecting&nbsp;users&nbsp;from&nbsp;accessing&nbsp;legitimate&nbsp;sites&nbsp;and/or&nbsp;pu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">with_miner)&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;manipulate&nbsp;DNS&nbsp;and&nbsp;leverage</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">shing&nbsp;additional&nbsp;malware.(Citation:&nbsp;ttint_rat)(Citation:&nbsp;dns</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;their&nbsp;position&nbsp;in&nbsp;order&nbsp;to&nbsp;intercept&nbsp;user&nbsp;credentials&nbsp;and&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">_changer_trojans)(Citation:&nbsp;ad_blocker_with_miner)&nbsp;Adversari</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ession&nbsp;cookies.(Citation:&nbsp;volexity_0day_sophos_FW)&nbsp;[Downgrad</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es&nbsp;may&nbsp;also&nbsp;manipulate&nbsp;DNS&nbsp;and&nbsp;leverage&nbsp;their&nbsp;position&nbsp;in&nbsp;or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;Attack](https://attack.mitre.org/techniques/T1562/010)s&nbsp;ca</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">der&nbsp;to&nbsp;intercept&nbsp;user&nbsp;credentials&nbsp;and&nbsp;session&nbsp;cookies.(Citat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;also&nbsp;be&nbsp;used&nbsp;to&nbsp;establish&nbsp;an&nbsp;AiTM&nbsp;position,&nbsp;such&nbsp;as&nbsp;by&nbsp;neg</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;volexity_0day_sophos_FW)&nbsp;[Downgrade&nbsp;Attack](https://att</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">otiating&nbsp;a&nbsp;less&nbsp;secure,&nbsp;deprecated,&nbsp;or&nbsp;weaker&nbsp;version&nbsp;of&nbsp;com</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ack.mitre.org/techniques/T1562/010)s&nbsp;can&nbsp;also&nbsp;be&nbsp;used&nbsp;to&nbsp;est</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">munication&nbsp;protocol&nbsp;(SSL/TLS)&nbsp;or&nbsp;encryption&nbsp;algorithm.(Citat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ablish&nbsp;an&nbsp;AiTM&nbsp;position,&nbsp;such&nbsp;as&nbsp;by&nbsp;negotiating&nbsp;a&nbsp;less&nbsp;secur</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;mitm_tls_downgrade_att)(Citation:&nbsp;taxonomy_downgrade_at</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e,&nbsp;deprecated,&nbsp;or&nbsp;weaker&nbsp;version&nbsp;of&nbsp;communication&nbsp;protocol&nbsp;(</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t_tls)(Citation:&nbsp;tlseminar_downgrade_att)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">SSL/TLS)&nbsp;or&nbsp;encryption&nbsp;algorithm.(Citation:&nbsp;mitm_tls_downgra</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lso&nbsp;leverage&nbsp;the&nbsp;AiTM&nbsp;position&nbsp;to&nbsp;attempt&nbsp;to&nbsp;monitor&nbsp;and/or&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">de_att)(Citation:&nbsp;taxonomy_downgrade_att_tls)(Citation:&nbsp;tlse</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">modify&nbsp;traffic,&nbsp;such&nbsp;as&nbsp;in&nbsp;[Transmitted&nbsp;Data&nbsp;Manipulation](h</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">minar_downgrade_att)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;leverage&nbsp;the&nbsp;AiTM</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1565/002).&nbsp;Adversaries&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;position&nbsp;to&nbsp;attempt&nbsp;to&nbsp;monitor&nbsp;and/or&nbsp;modify&nbsp;traffic,&nbsp;such&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;setup&nbsp;a&nbsp;position&nbsp;similar&nbsp;to&nbsp;AiTM&nbsp;to&nbsp;prevent&nbsp;traffic&nbsp;from&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">as&nbsp;in&nbsp;[Transmitted&nbsp;Data&nbsp;Manipulation](https://attack.mitre.o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">flowing&nbsp;to&nbsp;the&nbsp;appropriate&nbsp;destination,&nbsp;potentially&nbsp;to&nbsp;[Impa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rg/techniques/T1565/002).&nbsp;Adversaries&nbsp;can&nbsp;setup&nbsp;a&nbsp;position&nbsp;s</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ir&nbsp;Defenses](https://attack.mitre.org/techniques/T1562)&nbsp;and/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">imilar&nbsp;to&nbsp;AiTM&nbsp;to&nbsp;prevent&nbsp;traffic&nbsp;from&nbsp;flowing&nbsp;to&nbsp;the&nbsp;approp</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;in&nbsp;support&nbsp;of&nbsp;a&nbsp;[Network&nbsp;Denial&nbsp;of&nbsp;Service](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">riate&nbsp;destination,&nbsp;potentially&nbsp;to&nbsp;[Impair&nbsp;Defenses](https://</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1498).</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">attack.mitre.org/techniques/T1562)&nbsp;and/or&nbsp;in&nbsp;support&nbsp;of&nbsp;a&nbsp;[N</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etwork&nbsp;Denial&nbsp;of&nbsp;Service](https://attack.mitre.org/technique</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s/T1498).</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to34__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to34__0\"><a href=\"#difflib_chg_to34__top\">t</a></td><td class=\"diff_header\" id=\"from34_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;position&nbsp;themselves&nbsp;between&nbsp;two&nbsp;o</td><td class=\"diff_next\"><a href=\"#difflib_chg_to34__top\">t</a></td><td class=\"diff_header\" id=\"to34_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;position&nbsp;themselves&nbsp;between&nbsp;two&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;more&nbsp;networked&nbsp;devices&nbsp;using&nbsp;an&nbsp;adversary-in-the-middle&nbsp;(A</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;more&nbsp;networked&nbsp;devices&nbsp;using&nbsp;an&nbsp;adversary-in-the-middle&nbsp;(A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">iTM)&nbsp;technique&nbsp;to&nbsp;support&nbsp;follow-on&nbsp;behaviors&nbsp;such&nbsp;as&nbsp;[Netwo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">iTM)&nbsp;technique&nbsp;to&nbsp;support&nbsp;follow-on&nbsp;behaviors&nbsp;such&nbsp;as&nbsp;[Netwo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rk&nbsp;Sniffing](https://attack.mitre.org/techniques/T1040)<span class=\"diff_chg\">&nbsp;or</span>&nbsp;[</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rk&nbsp;Sniffing](https://attack.mitre.org/techniques/T1040)<span class=\"diff_chg\">,</span>&nbsp;[Tr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Transmitted&nbsp;Data&nbsp;Manipulation](https://attack.mitre.org/tech</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ansmitted&nbsp;Data&nbsp;Manipulation](https://attack.mitre.org/techni</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">niques/T1565/002)<span class=\"diff_chg\">.</span>&nbsp;By&nbsp;abusing&nbsp;features&nbsp;of&nbsp;common&nbsp;networking&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ques/T1565/002)<span class=\"diff_chg\">,&nbsp;or&nbsp;replay&nbsp;attacks&nbsp;([Exploitation&nbsp;for&nbsp;Creden</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">protocols&nbsp;that&nbsp;can&nbsp;determine&nbsp;the&nbsp;flow&nbsp;of&nbsp;network&nbsp;traffic&nbsp;(e.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">tial&nbsp;Access](https://attack.mitre.org/techniques/T1212)).</span>&nbsp;By</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g.&nbsp;ARP,&nbsp;DNS,&nbsp;LLMNR,&nbsp;etc.),&nbsp;adversaries&nbsp;may&nbsp;force&nbsp;a&nbsp;device&nbsp;to</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;abusing&nbsp;features&nbsp;of&nbsp;common&nbsp;networking&nbsp;protocols&nbsp;that&nbsp;can&nbsp;de</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;communicate&nbsp;through&nbsp;an&nbsp;adversary&nbsp;controlled&nbsp;system&nbsp;so&nbsp;they&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">termine&nbsp;the&nbsp;flow&nbsp;of&nbsp;network&nbsp;traffic&nbsp;(e.g.&nbsp;ARP,&nbsp;DNS,&nbsp;LLMNR,&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">can&nbsp;collect&nbsp;information&nbsp;or&nbsp;perform&nbsp;additional&nbsp;actions.(Citat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tc.),&nbsp;adversaries&nbsp;may&nbsp;force&nbsp;a&nbsp;device&nbsp;to&nbsp;communicate&nbsp;through&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;Rapid7&nbsp;MiTM&nbsp;Basics)&nbsp;&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;manip</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;adversary&nbsp;controlled&nbsp;system&nbsp;so&nbsp;they&nbsp;can&nbsp;collect&nbsp;informati</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ulate&nbsp;victim&nbsp;DNS&nbsp;settings&nbsp;to&nbsp;enable&nbsp;other&nbsp;malicious&nbsp;activiti</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">on&nbsp;or&nbsp;perform&nbsp;additional&nbsp;actions.(Citation:&nbsp;Rapid7&nbsp;MiTM&nbsp;Basi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es&nbsp;such&nbsp;as&nbsp;preventing/redirecting&nbsp;users&nbsp;from&nbsp;accessing&nbsp;legit</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cs)&nbsp;&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;manipulate&nbsp;victim&nbsp;DNS&nbsp;sett</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">imate&nbsp;sites&nbsp;and/or&nbsp;pushing&nbsp;additional&nbsp;malware.(Citation:&nbsp;tti</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ings&nbsp;to&nbsp;enable&nbsp;other&nbsp;malicious&nbsp;activities&nbsp;such&nbsp;as&nbsp;preventing</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt_rat)(Citation:&nbsp;dns_changer_trojans)(Citation:&nbsp;ad_blocker_</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/redirecting&nbsp;users&nbsp;from&nbsp;accessing&nbsp;legitimate&nbsp;sites&nbsp;and/or&nbsp;pu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">with_miner)&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;manipulate&nbsp;DNS&nbsp;and&nbsp;leverage</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">shing&nbsp;additional&nbsp;malware.(Citation:&nbsp;ttint_rat)(Citation:&nbsp;dns</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;their&nbsp;position&nbsp;in&nbsp;order&nbsp;to&nbsp;intercept&nbsp;user&nbsp;credentials&nbsp;and&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">_changer_trojans)(Citation:&nbsp;ad_blocker_with_miner)&nbsp;Adversari</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ession&nbsp;cookies.(Citation:&nbsp;volexity_0day_sophos_FW)&nbsp;[Downgrad</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es&nbsp;may&nbsp;also&nbsp;manipulate&nbsp;DNS&nbsp;and&nbsp;leverage&nbsp;their&nbsp;position&nbsp;in&nbsp;or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;Attack](https://attack.mitre.org/techniques/T1562/010)s&nbsp;ca</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">der&nbsp;to&nbsp;intercept&nbsp;user&nbsp;credentials&nbsp;and&nbsp;session&nbsp;cookies.(Citat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;also&nbsp;be&nbsp;used&nbsp;to&nbsp;establish&nbsp;an&nbsp;AiTM&nbsp;position,&nbsp;such&nbsp;as&nbsp;by&nbsp;neg</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;volexity_0day_sophos_FW)&nbsp;[Downgrade&nbsp;Attack](https://att</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">otiating&nbsp;a&nbsp;less&nbsp;secure,&nbsp;deprecated,&nbsp;or&nbsp;weaker&nbsp;version&nbsp;of&nbsp;com</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ack.mitre.org/techniques/T1562/010)s&nbsp;can&nbsp;also&nbsp;be&nbsp;used&nbsp;to&nbsp;est</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">munication&nbsp;protocol&nbsp;(SSL/TLS)&nbsp;or&nbsp;encryption&nbsp;algorithm.(Citat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ablish&nbsp;an&nbsp;AiTM&nbsp;position,&nbsp;such&nbsp;as&nbsp;by&nbsp;negotiating&nbsp;a&nbsp;less&nbsp;secur</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;mitm_tls_downgrade_att)(Citation:&nbsp;taxonomy_downgrade_at</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e,&nbsp;deprecated,&nbsp;or&nbsp;weaker&nbsp;version&nbsp;of&nbsp;communication&nbsp;protocol&nbsp;(</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t_tls)(Citation:&nbsp;tlseminar_downgrade_att)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">SSL/TLS)&nbsp;or&nbsp;encryption&nbsp;algorithm.(Citation:&nbsp;mitm_tls_downgra</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lso&nbsp;leverage&nbsp;the&nbsp;AiTM&nbsp;position&nbsp;to&nbsp;attempt&nbsp;to&nbsp;monitor&nbsp;and/or&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">de_att)(Citation:&nbsp;taxonomy_downgrade_att_tls)(Citation:&nbsp;tlse</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">modify&nbsp;traffic,&nbsp;such&nbsp;as&nbsp;in&nbsp;[Transmitted&nbsp;Data&nbsp;Manipulation](h</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">minar_downgrade_att)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;leverage&nbsp;the&nbsp;AiTM</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1565/002).&nbsp;Adversaries&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;position&nbsp;to&nbsp;attempt&nbsp;to&nbsp;monitor&nbsp;and/or&nbsp;modify&nbsp;traffic,&nbsp;such&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;setup&nbsp;a&nbsp;position&nbsp;similar&nbsp;to&nbsp;AiTM&nbsp;to&nbsp;prevent&nbsp;traffic&nbsp;from&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">as&nbsp;in&nbsp;[Transmitted&nbsp;Data&nbsp;Manipulation](https://attack.mitre.o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">flowing&nbsp;to&nbsp;the&nbsp;appropriate&nbsp;destination,&nbsp;potentially&nbsp;to&nbsp;[Impa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rg/techniques/T1565/002).&nbsp;Adversaries&nbsp;can&nbsp;setup&nbsp;a&nbsp;position&nbsp;s</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ir&nbsp;Defenses](https://attack.mitre.org/techniques/T1562)&nbsp;and/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">imilar&nbsp;to&nbsp;AiTM&nbsp;to&nbsp;prevent&nbsp;traffic&nbsp;from&nbsp;flowing&nbsp;to&nbsp;the&nbsp;approp</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;in&nbsp;support&nbsp;of&nbsp;a&nbsp;[Network&nbsp;Denial&nbsp;of&nbsp;Service](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">riate&nbsp;destination,&nbsp;potentially&nbsp;to&nbsp;[Impair&nbsp;Defenses](https://</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1498).</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">attack.mitre.org/techniques/T1562)&nbsp;and/or&nbsp;in&nbsp;support&nbsp;of&nbsp;a&nbsp;[N</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etwork&nbsp;Denial&nbsp;of&nbsp;Service](https://attack.mitre.org/technique</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s/T1498).</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1017: User Training",
@@ -2649,7 +2649,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 02:42:15.473000+00:00\", \"old_value\": \"2020-08-21 14:41:22.911000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \", \"old_value\": \"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n \\n-Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \\n+Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
                     "previous_version": "1.0",
                     "version_change": "1.0 \u2192 1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to22__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to22__0\"><a href=\"#difflib_chg_to22__top\">t</a></td><td class=\"diff_header\" id=\"from22_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;communicate&nbsp;using&nbsp;application&nbsp;layer&nbsp;protocol</td><td class=\"diff_next\"><a href=\"#difflib_chg_to22__top\">t</a></td><td class=\"diff_header\" id=\"to22_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;communicate&nbsp;using&nbsp;application&nbsp;layer&nbsp;protocol</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;associated&nbsp;with&nbsp;transferring&nbsp;files&nbsp;to&nbsp;avoid&nbsp;detection/netw</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;associated&nbsp;with&nbsp;transferring&nbsp;files&nbsp;to&nbsp;avoid&nbsp;detection/netw</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ork&nbsp;filtering&nbsp;by&nbsp;blending&nbsp;in&nbsp;with&nbsp;existing&nbsp;traffic.&nbsp;Commands</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ork&nbsp;filtering&nbsp;by&nbsp;blending&nbsp;in&nbsp;with&nbsp;existing&nbsp;traffic.&nbsp;Commands</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;the&nbsp;remote&nbsp;system,&nbsp;and&nbsp;often&nbsp;the&nbsp;results&nbsp;of&nbsp;those&nbsp;comman</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;the&nbsp;remote&nbsp;system,&nbsp;and&nbsp;often&nbsp;the&nbsp;results&nbsp;of&nbsp;those&nbsp;comman</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ds,&nbsp;will&nbsp;be&nbsp;embedded&nbsp;within&nbsp;the&nbsp;protocol&nbsp;traffic&nbsp;between&nbsp;the</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ds,&nbsp;will&nbsp;be&nbsp;embedded&nbsp;within&nbsp;the&nbsp;protocol&nbsp;traffic&nbsp;between&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;client&nbsp;and&nbsp;server.&nbsp;&nbsp;&nbsp;Protocols&nbsp;such&nbsp;as&nbsp;FTP,&nbsp;FTPS,&nbsp;and&nbsp;TFTP&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;client&nbsp;and&nbsp;server.&nbsp;&nbsp;&nbsp;Protocols&nbsp;such&nbsp;as<span class=\"diff_add\">&nbsp;SMB,</span>&nbsp;FTP,&nbsp;FTPS,&nbsp;and&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">that&nbsp;transfer&nbsp;files&nbsp;may&nbsp;be&nbsp;very&nbsp;common&nbsp;in&nbsp;environments.&nbsp;&nbsp;Pac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">TFTP&nbsp;that&nbsp;transfer&nbsp;files&nbsp;may&nbsp;be&nbsp;very&nbsp;common&nbsp;in&nbsp;environments.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">kets&nbsp;produced&nbsp;from&nbsp;these&nbsp;protocols&nbsp;may&nbsp;have&nbsp;many&nbsp;fields&nbsp;and&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;Packets&nbsp;produced&nbsp;from&nbsp;these&nbsp;protocols&nbsp;may&nbsp;have&nbsp;many&nbsp;fields</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">headers&nbsp;in&nbsp;which&nbsp;data&nbsp;can&nbsp;be&nbsp;concealed.&nbsp;Data&nbsp;could&nbsp;also&nbsp;be&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;and&nbsp;headers&nbsp;in&nbsp;which&nbsp;data&nbsp;can&nbsp;be&nbsp;concealed.&nbsp;Data&nbsp;could&nbsp;also</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oncealed&nbsp;within&nbsp;the&nbsp;transferred&nbsp;files.&nbsp;An&nbsp;adversary&nbsp;may&nbsp;abus</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;be&nbsp;concealed&nbsp;within&nbsp;the&nbsp;transferred&nbsp;files.&nbsp;An&nbsp;adversary&nbsp;may</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;these&nbsp;protocols&nbsp;to&nbsp;communicate&nbsp;with&nbsp;systems&nbsp;under&nbsp;their&nbsp;co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;abuse&nbsp;these&nbsp;protocols&nbsp;to&nbsp;communicate&nbsp;with&nbsp;systems&nbsp;under&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ntrol&nbsp;within&nbsp;a&nbsp;victim&nbsp;network&nbsp;while&nbsp;also&nbsp;mimicking&nbsp;normal,&nbsp;e</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ir&nbsp;control&nbsp;within&nbsp;a&nbsp;victim&nbsp;network&nbsp;while&nbsp;also&nbsp;mimicking&nbsp;norm</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xpected&nbsp;traffic.&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">al,&nbsp;expected&nbsp;traffic.&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to13__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to13__0\"><a href=\"#difflib_chg_to13__top\">t</a></td><td class=\"diff_header\" id=\"from13_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;communicate&nbsp;using&nbsp;application&nbsp;layer&nbsp;protocol</td><td class=\"diff_next\"><a href=\"#difflib_chg_to13__top\">t</a></td><td class=\"diff_header\" id=\"to13_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;communicate&nbsp;using&nbsp;application&nbsp;layer&nbsp;protocol</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;associated&nbsp;with&nbsp;transferring&nbsp;files&nbsp;to&nbsp;avoid&nbsp;detection/netw</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;associated&nbsp;with&nbsp;transferring&nbsp;files&nbsp;to&nbsp;avoid&nbsp;detection/netw</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ork&nbsp;filtering&nbsp;by&nbsp;blending&nbsp;in&nbsp;with&nbsp;existing&nbsp;traffic.&nbsp;Commands</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ork&nbsp;filtering&nbsp;by&nbsp;blending&nbsp;in&nbsp;with&nbsp;existing&nbsp;traffic.&nbsp;Commands</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;the&nbsp;remote&nbsp;system,&nbsp;and&nbsp;often&nbsp;the&nbsp;results&nbsp;of&nbsp;those&nbsp;comman</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;the&nbsp;remote&nbsp;system,&nbsp;and&nbsp;often&nbsp;the&nbsp;results&nbsp;of&nbsp;those&nbsp;comman</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ds,&nbsp;will&nbsp;be&nbsp;embedded&nbsp;within&nbsp;the&nbsp;protocol&nbsp;traffic&nbsp;between&nbsp;the</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ds,&nbsp;will&nbsp;be&nbsp;embedded&nbsp;within&nbsp;the&nbsp;protocol&nbsp;traffic&nbsp;between&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;client&nbsp;and&nbsp;server.&nbsp;&nbsp;&nbsp;Protocols&nbsp;such&nbsp;as&nbsp;FTP,&nbsp;FTPS,&nbsp;and&nbsp;TFTP&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;client&nbsp;and&nbsp;server.&nbsp;&nbsp;&nbsp;Protocols&nbsp;such&nbsp;as<span class=\"diff_add\">&nbsp;SMB,</span>&nbsp;FTP,&nbsp;FTPS,&nbsp;and&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">that&nbsp;transfer&nbsp;files&nbsp;may&nbsp;be&nbsp;very&nbsp;common&nbsp;in&nbsp;environments.&nbsp;&nbsp;Pac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">TFTP&nbsp;that&nbsp;transfer&nbsp;files&nbsp;may&nbsp;be&nbsp;very&nbsp;common&nbsp;in&nbsp;environments.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">kets&nbsp;produced&nbsp;from&nbsp;these&nbsp;protocols&nbsp;may&nbsp;have&nbsp;many&nbsp;fields&nbsp;and&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;Packets&nbsp;produced&nbsp;from&nbsp;these&nbsp;protocols&nbsp;may&nbsp;have&nbsp;many&nbsp;fields</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">headers&nbsp;in&nbsp;which&nbsp;data&nbsp;can&nbsp;be&nbsp;concealed.&nbsp;Data&nbsp;could&nbsp;also&nbsp;be&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;and&nbsp;headers&nbsp;in&nbsp;which&nbsp;data&nbsp;can&nbsp;be&nbsp;concealed.&nbsp;Data&nbsp;could&nbsp;also</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">oncealed&nbsp;within&nbsp;the&nbsp;transferred&nbsp;files.&nbsp;An&nbsp;adversary&nbsp;may&nbsp;abus</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;be&nbsp;concealed&nbsp;within&nbsp;the&nbsp;transferred&nbsp;files.&nbsp;An&nbsp;adversary&nbsp;may</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;these&nbsp;protocols&nbsp;to&nbsp;communicate&nbsp;with&nbsp;systems&nbsp;under&nbsp;their&nbsp;co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;abuse&nbsp;these&nbsp;protocols&nbsp;to&nbsp;communicate&nbsp;with&nbsp;systems&nbsp;under&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ntrol&nbsp;within&nbsp;a&nbsp;victim&nbsp;network&nbsp;while&nbsp;also&nbsp;mimicking&nbsp;normal,&nbsp;e</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ir&nbsp;control&nbsp;within&nbsp;a&nbsp;victim&nbsp;network&nbsp;while&nbsp;also&nbsp;mimicking&nbsp;norm</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xpected&nbsp;traffic.&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">al,&nbsp;expected&nbsp;traffic.&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1031: Network Intrusion Prevention"
@@ -2913,7 +2913,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-04 14:16:17.655000+00:00\", \"old_value\": \"2020-10-09 16:05:36.344000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)\\n\\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\\\\SYSTEM\\\\\\\\[CurrentControlSet or ControlSet001]\\\\Control\\\\Print\\\\Environments\\\\\\\\[Windows architecture: e.g., Windows x64]\\\\Print Processors\\\\\\\\[user defined]\\\\Driver</code> Registry key that points to the DLL.\\n\\nFor the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)\\n\\nThe print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.\", \"old_value\": \"Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \\n\\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\\\\SYSTEM\\\\\\\\[CurrentControlSet or ControlSet001]\\\\Control\\\\Print\\\\Environments\\\\\\\\[Windows architecture: e.g., Windows x64]\\\\Print Processors\\\\\\\\[user defined]\\\\Driver</code> Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the <code>GetPrintProcessorDirectory</code> API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,7 @@\\n-Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \\n+Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)\\n \\n-Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\\\\SYSTEM\\\\\\\\[CurrentControlSet or ControlSet001]\\\\Control\\\\Print\\\\Environments\\\\\\\\[Windows architecture: e.g., Windows x64]\\\\Print Processors\\\\\\\\[user defined]\\\\Driver</code> Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the <code>GetPrintProcessorDirectory</code> API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.\\n+Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\\\\SYSTEM\\\\\\\\[CurrentControlSet or ControlSet001]\\\\Control\\\\Print\\\\Environments\\\\\\\\[Windows architecture: e.g., Windows x64]\\\\Print Processors\\\\\\\\[user defined]\\\\Driver</code> Registry key that points to the DLL.\\n+\\n+For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)\\n+\\n+The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Microsoft Intro Print Processors\", \"description\": \"Microsoft. (2023, June 26). Introduction to print processors. Retrieved September 27, 2023.\", \"url\": \"https://learn.microsoft.com/windows-hardware/drivers/print/introduction-to-print-processors\"}, \"root['x_mitre_contributors'][1]\": \"Tahseen Bin Taj\"}}",
                     "previous_version": "1.0",
                     "version_change": "1.0 \u2192 1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to10__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to10__0\"><a href=\"#difflib_chg_to10__top\">t</a></td><td class=\"diff_header\" id=\"from10_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;abuse&nbsp;print&nbsp;processors&nbsp;to&nbsp;run&nbsp;malicious&nbsp;DLLs</td><td class=\"diff_next\"><a href=\"#difflib_chg_to10__top\">t</a></td><td class=\"diff_header\" id=\"to10_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;abuse&nbsp;print&nbsp;processors&nbsp;to&nbsp;run&nbsp;malicious&nbsp;DLLs</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;during&nbsp;system&nbsp;boot&nbsp;for&nbsp;persistence&nbsp;and/or&nbsp;privilege&nbsp;escalat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;during&nbsp;system&nbsp;boot&nbsp;for&nbsp;persistence&nbsp;and/or&nbsp;privilege&nbsp;escalat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion.&nbsp;Print&nbsp;processors&nbsp;are&nbsp;DLLs&nbsp;that&nbsp;are&nbsp;loaded&nbsp;by&nbsp;the&nbsp;print&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion.&nbsp;Print&nbsp;processors&nbsp;are&nbsp;DLLs&nbsp;that&nbsp;are&nbsp;loaded&nbsp;by&nbsp;the&nbsp;print&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">spooler&nbsp;service,&nbsp;spoolsv.exe,&nbsp;during&nbsp;boot.<span class=\"diff_chg\">&nbsp;</span>&nbsp;&nbsp;Adversaries&nbsp;may</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">spooler&nbsp;service,&nbsp;<span class=\"diff_add\">`</span>spoolsv.exe<span class=\"diff_add\">`</span>,&nbsp;during&nbsp;boot.<span class=\"diff_chg\">(Citation:&nbsp;Micro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;abuse&nbsp;the&nbsp;print&nbsp;spooler&nbsp;service&nbsp;by&nbsp;adding&nbsp;print&nbsp;processors&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">soft&nbsp;Intro&nbsp;Print&nbsp;Processors)</span>&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;prin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">that&nbsp;load&nbsp;malicious&nbsp;DLLs&nbsp;at&nbsp;startup.&nbsp;A&nbsp;print&nbsp;processor&nbsp;can&nbsp;b</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;spooler&nbsp;service&nbsp;by&nbsp;adding&nbsp;print&nbsp;processors&nbsp;that&nbsp;load&nbsp;malic</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;installed&nbsp;through&nbsp;the&nbsp;&lt;code&gt;AddPrintProcessor&lt;/code&gt;&nbsp;API&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ious&nbsp;DLLs&nbsp;at&nbsp;startup.&nbsp;A&nbsp;print&nbsp;processor&nbsp;can&nbsp;be&nbsp;installed&nbsp;thr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">all&nbsp;with&nbsp;an&nbsp;account&nbsp;that&nbsp;has&nbsp;&lt;code&gt;SeLoadDriverPrivilege&lt;/co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ough&nbsp;the&nbsp;&lt;code&gt;AddPrintProcessor&lt;/code&gt;&nbsp;API&nbsp;call&nbsp;with&nbsp;an&nbsp;acc</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">de&gt;&nbsp;enabled.&nbsp;Alternatively,&nbsp;a&nbsp;print&nbsp;processor&nbsp;can&nbsp;be&nbsp;registe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ount&nbsp;that&nbsp;has&nbsp;&lt;code&gt;SeLoadDriverPrivilege&lt;/code&gt;&nbsp;enabled.&nbsp;Al</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">red&nbsp;to&nbsp;the&nbsp;print&nbsp;spooler&nbsp;service&nbsp;by&nbsp;adding&nbsp;the&nbsp;&lt;code&gt;HKLM\\SY</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ternatively,&nbsp;a&nbsp;print&nbsp;processor&nbsp;can&nbsp;be&nbsp;registered&nbsp;to&nbsp;the&nbsp;prin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">STEM\\\\[CurrentControlSet&nbsp;or&nbsp;ControlSet001]\\Control\\Print\\Env</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;spooler&nbsp;service&nbsp;by&nbsp;adding&nbsp;the&nbsp;&lt;code&gt;HKLM\\SYSTEM\\\\[CurrentC</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironments\\\\[Windows&nbsp;architecture:&nbsp;e.g.,&nbsp;Windows&nbsp;x64]\\Print&nbsp;P</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ontrolSet&nbsp;or&nbsp;ControlSet001]\\Control\\Print\\Environments\\\\[Win</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rocessors\\\\[user&nbsp;defined]\\Driver&lt;/code&gt;&nbsp;Registry&nbsp;key&nbsp;that&nbsp;po</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">dows&nbsp;architecture:&nbsp;e.g.,&nbsp;Windows&nbsp;x64]\\Print&nbsp;Processors\\\\[use</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ints&nbsp;to&nbsp;the&nbsp;DLL.&nbsp;For&nbsp;the&nbsp;<span class=\"diff_chg\">print&nbsp;processor&nbsp;to&nbsp;be&nbsp;correctly</span>&nbsp;ins</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;defined]\\Driver&lt;/code&gt;&nbsp;Registry&nbsp;key&nbsp;that&nbsp;points&nbsp;to&nbsp;the&nbsp;DLL</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">talled,&nbsp;<span class=\"diff_chg\">it</span>&nbsp;must&nbsp;be&nbsp;located&nbsp;in&nbsp;the&nbsp;system&nbsp;print-processor&nbsp;dir</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.&nbsp;<span class=\"diff_add\">&nbsp;</span>For&nbsp;the&nbsp;<span class=\"diff_chg\">malicious&nbsp;print&nbsp;processor&nbsp;to&nbsp;be&nbsp;correctly</span>&nbsp;install</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ectory<span class=\"diff_chg\">&nbsp;that&nbsp;can&nbsp;be</span>&nbsp;found&nbsp;with&nbsp;the&nbsp;&lt;code&gt;GetPrintProcessorDir</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed,&nbsp;<span class=\"diff_chg\">the&nbsp;payload</span>&nbsp;must&nbsp;be&nbsp;located&nbsp;in&nbsp;the<span class=\"diff_add\">&nbsp;dedicated</span>&nbsp;system&nbsp;prin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ectory&lt;/code&gt;&nbsp;API&nbsp;call.(Citation:&nbsp;Microsoft&nbsp;AddPrintProcesso</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t-processor&nbsp;directory<span class=\"diff_chg\">,&nbsp;that&nbsp;can&nbsp;be</span>&nbsp;found&nbsp;with&nbsp;the&nbsp;&lt;code&gt;GetP</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;May&nbsp;2018)&nbsp;After&nbsp;the&nbsp;print&nbsp;processors&nbsp;are&nbsp;installed,&nbsp;the&nbsp;pr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rintProcessorDirectory&lt;/code&gt;&nbsp;API&nbsp;call<span class=\"diff_add\">,&nbsp;or&nbsp;referenced&nbsp;via&nbsp;a&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">int&nbsp;spooler&nbsp;service,&nbsp;which&nbsp;starts&nbsp;during&nbsp;boot,&nbsp;must&nbsp;be&nbsp;resta</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">relative&nbsp;path&nbsp;from&nbsp;this&nbsp;directory</span>.(Citation:&nbsp;Microsoft&nbsp;AddPr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rted&nbsp;in&nbsp;order&nbsp;for&nbsp;them&nbsp;to&nbsp;run.(Citation:&nbsp;ESET&nbsp;PipeMon&nbsp;May&nbsp;20</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">intProcessor&nbsp;May&nbsp;2018)&nbsp;After&nbsp;the&nbsp;print&nbsp;processors&nbsp;are&nbsp;instal</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">20)&nbsp;The&nbsp;print&nbsp;spooler&nbsp;service&nbsp;runs&nbsp;under&nbsp;SYSTEM&nbsp;level&nbsp;permis</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">led,&nbsp;the&nbsp;print&nbsp;spooler&nbsp;service,&nbsp;which&nbsp;starts&nbsp;during&nbsp;boot,&nbsp;mu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sions,&nbsp;therefore&nbsp;print&nbsp;processors&nbsp;installed&nbsp;by&nbsp;an&nbsp;adversary&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">st&nbsp;be&nbsp;restarted&nbsp;in&nbsp;order&nbsp;for&nbsp;them&nbsp;to&nbsp;run.(Citation:&nbsp;ESET&nbsp;Pip</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;run&nbsp;under&nbsp;elevated&nbsp;privileges.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eMon&nbsp;May&nbsp;2020)&nbsp;<span class=\"diff_add\">&nbsp;</span>The&nbsp;print&nbsp;spooler&nbsp;service&nbsp;runs&nbsp;under&nbsp;SYSTEM&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">level&nbsp;permissions,&nbsp;therefore&nbsp;print&nbsp;processors&nbsp;installed&nbsp;by&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;adversary&nbsp;may&nbsp;run&nbsp;under&nbsp;elevated&nbsp;privileges.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to12__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to12__0\"><a href=\"#difflib_chg_to12__top\">t</a></td><td class=\"diff_header\" id=\"from12_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;abuse&nbsp;print&nbsp;processors&nbsp;to&nbsp;run&nbsp;malicious&nbsp;DLLs</td><td class=\"diff_next\"><a href=\"#difflib_chg_to12__top\">t</a></td><td class=\"diff_header\" id=\"to12_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;abuse&nbsp;print&nbsp;processors&nbsp;to&nbsp;run&nbsp;malicious&nbsp;DLLs</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;during&nbsp;system&nbsp;boot&nbsp;for&nbsp;persistence&nbsp;and/or&nbsp;privilege&nbsp;escalat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;during&nbsp;system&nbsp;boot&nbsp;for&nbsp;persistence&nbsp;and/or&nbsp;privilege&nbsp;escalat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion.&nbsp;Print&nbsp;processors&nbsp;are&nbsp;DLLs&nbsp;that&nbsp;are&nbsp;loaded&nbsp;by&nbsp;the&nbsp;print&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion.&nbsp;Print&nbsp;processors&nbsp;are&nbsp;DLLs&nbsp;that&nbsp;are&nbsp;loaded&nbsp;by&nbsp;the&nbsp;print&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">spooler&nbsp;service,&nbsp;spoolsv.exe,&nbsp;during&nbsp;boot.<span class=\"diff_chg\">&nbsp;</span>&nbsp;&nbsp;Adversaries&nbsp;may</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">spooler&nbsp;service,&nbsp;<span class=\"diff_add\">`</span>spoolsv.exe<span class=\"diff_add\">`</span>,&nbsp;during&nbsp;boot.<span class=\"diff_chg\">(Citation:&nbsp;Micro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;abuse&nbsp;the&nbsp;print&nbsp;spooler&nbsp;service&nbsp;by&nbsp;adding&nbsp;print&nbsp;processors&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">soft&nbsp;Intro&nbsp;Print&nbsp;Processors)</span>&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;prin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">that&nbsp;load&nbsp;malicious&nbsp;DLLs&nbsp;at&nbsp;startup.&nbsp;A&nbsp;print&nbsp;processor&nbsp;can&nbsp;b</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;spooler&nbsp;service&nbsp;by&nbsp;adding&nbsp;print&nbsp;processors&nbsp;that&nbsp;load&nbsp;malic</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;installed&nbsp;through&nbsp;the&nbsp;&lt;code&gt;AddPrintProcessor&lt;/code&gt;&nbsp;API&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ious&nbsp;DLLs&nbsp;at&nbsp;startup.&nbsp;A&nbsp;print&nbsp;processor&nbsp;can&nbsp;be&nbsp;installed&nbsp;thr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">all&nbsp;with&nbsp;an&nbsp;account&nbsp;that&nbsp;has&nbsp;&lt;code&gt;SeLoadDriverPrivilege&lt;/co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ough&nbsp;the&nbsp;&lt;code&gt;AddPrintProcessor&lt;/code&gt;&nbsp;API&nbsp;call&nbsp;with&nbsp;an&nbsp;acc</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">de&gt;&nbsp;enabled.&nbsp;Alternatively,&nbsp;a&nbsp;print&nbsp;processor&nbsp;can&nbsp;be&nbsp;registe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ount&nbsp;that&nbsp;has&nbsp;&lt;code&gt;SeLoadDriverPrivilege&lt;/code&gt;&nbsp;enabled.&nbsp;Al</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">red&nbsp;to&nbsp;the&nbsp;print&nbsp;spooler&nbsp;service&nbsp;by&nbsp;adding&nbsp;the&nbsp;&lt;code&gt;HKLM\\SY</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ternatively,&nbsp;a&nbsp;print&nbsp;processor&nbsp;can&nbsp;be&nbsp;registered&nbsp;to&nbsp;the&nbsp;prin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">STEM\\\\[CurrentControlSet&nbsp;or&nbsp;ControlSet001]\\Control\\Print\\Env</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;spooler&nbsp;service&nbsp;by&nbsp;adding&nbsp;the&nbsp;&lt;code&gt;HKLM\\SYSTEM\\\\[CurrentC</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironments\\\\[Windows&nbsp;architecture:&nbsp;e.g.,&nbsp;Windows&nbsp;x64]\\Print&nbsp;P</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ontrolSet&nbsp;or&nbsp;ControlSet001]\\Control\\Print\\Environments\\\\[Win</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rocessors\\\\[user&nbsp;defined]\\Driver&lt;/code&gt;&nbsp;Registry&nbsp;key&nbsp;that&nbsp;po</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">dows&nbsp;architecture:&nbsp;e.g.,&nbsp;Windows&nbsp;x64]\\Print&nbsp;Processors\\\\[use</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ints&nbsp;to&nbsp;the&nbsp;DLL.&nbsp;For&nbsp;the&nbsp;<span class=\"diff_chg\">print&nbsp;processor&nbsp;to&nbsp;be&nbsp;correctly</span>&nbsp;ins</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;defined]\\Driver&lt;/code&gt;&nbsp;Registry&nbsp;key&nbsp;that&nbsp;points&nbsp;to&nbsp;the&nbsp;DLL</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">talled,&nbsp;<span class=\"diff_chg\">it</span>&nbsp;must&nbsp;be&nbsp;located&nbsp;in&nbsp;the&nbsp;system&nbsp;print-processor&nbsp;dir</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.&nbsp;<span class=\"diff_add\">&nbsp;</span>For&nbsp;the&nbsp;<span class=\"diff_chg\">malicious&nbsp;print&nbsp;processor&nbsp;to&nbsp;be&nbsp;correctly</span>&nbsp;install</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ectory<span class=\"diff_chg\">&nbsp;that&nbsp;can&nbsp;be</span>&nbsp;found&nbsp;with&nbsp;the&nbsp;&lt;code&gt;GetPrintProcessorDir</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed,&nbsp;<span class=\"diff_chg\">the&nbsp;payload</span>&nbsp;must&nbsp;be&nbsp;located&nbsp;in&nbsp;the<span class=\"diff_add\">&nbsp;dedicated</span>&nbsp;system&nbsp;prin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ectory&lt;/code&gt;&nbsp;API&nbsp;call.(Citation:&nbsp;Microsoft&nbsp;AddPrintProcesso</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t-processor&nbsp;directory<span class=\"diff_chg\">,&nbsp;that&nbsp;can&nbsp;be</span>&nbsp;found&nbsp;with&nbsp;the&nbsp;&lt;code&gt;GetP</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;May&nbsp;2018)&nbsp;After&nbsp;the&nbsp;print&nbsp;processors&nbsp;are&nbsp;installed,&nbsp;the&nbsp;pr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rintProcessorDirectory&lt;/code&gt;&nbsp;API&nbsp;call<span class=\"diff_add\">,&nbsp;or&nbsp;referenced&nbsp;via&nbsp;a&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">int&nbsp;spooler&nbsp;service,&nbsp;which&nbsp;starts&nbsp;during&nbsp;boot,&nbsp;must&nbsp;be&nbsp;resta</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">relative&nbsp;path&nbsp;from&nbsp;this&nbsp;directory</span>.(Citation:&nbsp;Microsoft&nbsp;AddPr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rted&nbsp;in&nbsp;order&nbsp;for&nbsp;them&nbsp;to&nbsp;run.(Citation:&nbsp;ESET&nbsp;PipeMon&nbsp;May&nbsp;20</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">intProcessor&nbsp;May&nbsp;2018)&nbsp;After&nbsp;the&nbsp;print&nbsp;processors&nbsp;are&nbsp;instal</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">20)&nbsp;The&nbsp;print&nbsp;spooler&nbsp;service&nbsp;runs&nbsp;under&nbsp;SYSTEM&nbsp;level&nbsp;permis</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">led,&nbsp;the&nbsp;print&nbsp;spooler&nbsp;service,&nbsp;which&nbsp;starts&nbsp;during&nbsp;boot,&nbsp;mu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sions,&nbsp;therefore&nbsp;print&nbsp;processors&nbsp;installed&nbsp;by&nbsp;an&nbsp;adversary&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">st&nbsp;be&nbsp;restarted&nbsp;in&nbsp;order&nbsp;for&nbsp;them&nbsp;to&nbsp;run.(Citation:&nbsp;ESET&nbsp;Pip</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;run&nbsp;under&nbsp;elevated&nbsp;privileges.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eMon&nbsp;May&nbsp;2020)&nbsp;<span class=\"diff_add\">&nbsp;</span>The&nbsp;print&nbsp;spooler&nbsp;service&nbsp;runs&nbsp;under&nbsp;SYSTEM&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">level&nbsp;permissions,&nbsp;therefore&nbsp;print&nbsp;processors&nbsp;installed&nbsp;by&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;adversary&nbsp;may&nbsp;run&nbsp;under&nbsp;elevated&nbsp;privileges.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management"
@@ -3089,7 +3089,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:35:12.501000+00:00\", \"old_value\": \"2020-11-10 15:55:10.103000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user\\u2019s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user\\u2019s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)\\n\\nAdversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user\\u2019s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.\\n\\nAdversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)\", \"old_value\": \"Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the <code>/etc/xdg/autostart</code> or <code>~/.config/autostart</code> directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\\n\\nWithin an XDG autostart entry file, the <code>Type</code> key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The <code>Name</code> key indicates an arbitrary name assigned by the creator and the <code>Exec</code> key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\\n\\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the <code>/etc/xdg/autostart</code> or <code>~/.config/autostart</code> directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\\n+Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user\\u2019s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user\\u2019s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)\\n \\n-Within an XDG autostart entry file, the <code>Type</code> key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The <code>Name</code> key indicates an arbitrary name assigned by the creator and the <code>Exec</code> key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\\n+Adversaries may abuse this feature to establish persistence by adding a path to a malicious binary or command to the `Exec` directive in the `.desktop` configuration file. When the user\\u2019s desktop environment is loaded at user login, the `.desktop` files located in the XDG Autostart directories are automatically executed. System-wide Autostart entries are located in the `/etc/xdg/autostart` directory while the user entries are located in the `~/.config/autostart` directory.\\n \\n-Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.\\n+Adversaries may combine this technique with [Masquerading](https://attack.mitre.org/techniques/T1036) to blend malicious Autostart entries with legitimate programs.(Citation: Red Canary Netwire Linux 2022)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Red Canary Netwire Linux 2022\", \"description\": \"TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.\", \"url\": \"https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/\"}}}",
                     "previous_version": "1.0",
                     "version_change": "1.0 \u2192 1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to3__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to3__0\"><a href=\"#difflib_chg_to3__top\">t</a></td><td class=\"diff_header\" id=\"from3_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;modify&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;to&nbsp;execute&nbsp;prog</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to3__top\">t</a></td><td class=\"diff_header\" id=\"to3_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;add&nbsp;or&nbsp;modify&nbsp;XDG&nbsp;Autostart&nbsp;Entries&nbsp;to&nbsp;execu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rams&nbsp;or&nbsp;commands&nbsp;during&nbsp;system&nbsp;boot.&nbsp;Linux&nbsp;desktop&nbsp;environme</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">te&nbsp;malicious&nbsp;programs&nbsp;or&nbsp;commands&nbsp;when&nbsp;a&nbsp;user\u2019s&nbsp;desktop&nbsp;envi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nts&nbsp;that&nbsp;are&nbsp;XDG&nbsp;compliant&nbsp;implement&nbsp;functionality&nbsp;for&nbsp;XDG&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ronment&nbsp;is&nbsp;loaded&nbsp;at&nbsp;login.&nbsp;XDG&nbsp;Autostart&nbsp;entries&nbsp;are&nbsp;availa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">utostart&nbsp;entries.&nbsp;These&nbsp;entries&nbsp;will&nbsp;allow&nbsp;an&nbsp;application&nbsp;to</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ble&nbsp;for&nbsp;any&nbsp;XDG-compliant&nbsp;Linux&nbsp;system.&nbsp;XDG&nbsp;Autostart&nbsp;entrie</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;automatically&nbsp;start&nbsp;during&nbsp;the&nbsp;startup&nbsp;of&nbsp;a&nbsp;desktop&nbsp;environ</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;use&nbsp;Desktop&nbsp;Entry&nbsp;files&nbsp;(`.desktop`)&nbsp;to&nbsp;configure&nbsp;the&nbsp;user</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ment&nbsp;after&nbsp;user&nbsp;logon.&nbsp;By&nbsp;default,&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;are</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">\u2019s&nbsp;desktop&nbsp;environment&nbsp;upon&nbsp;user&nbsp;login.&nbsp;These&nbsp;configuration&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;stored&nbsp;within&nbsp;the&nbsp;&lt;code&gt;/etc/xdg/autostart&lt;/code&gt;&nbsp;or&nbsp;&lt;code&gt;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">files&nbsp;determine&nbsp;what&nbsp;applications&nbsp;launch&nbsp;upon&nbsp;user&nbsp;login,&nbsp;de</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">~/.config/autostart&lt;/code&gt;&nbsp;directories&nbsp;and&nbsp;have&nbsp;a&nbsp;.desktop&nbsp;f</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">fine&nbsp;associated&nbsp;applications&nbsp;to&nbsp;open&nbsp;specific&nbsp;file&nbsp;types,&nbsp;an</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ile&nbsp;extension.(Citation:&nbsp;Free&nbsp;Desktop&nbsp;Application&nbsp;Autostart&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;define&nbsp;applications&nbsp;used&nbsp;to&nbsp;open&nbsp;removable&nbsp;media.(Citation</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Feb&nbsp;2006)&nbsp;&nbsp;Within&nbsp;an&nbsp;XDG&nbsp;autostart&nbsp;entry&nbsp;file,&nbsp;the&nbsp;&lt;code&gt;Typ</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">:&nbsp;Free&nbsp;Desktop&nbsp;Application&nbsp;Autostart&nbsp;Feb&nbsp;2006)(Citation:&nbsp;Fre</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&lt;/code&gt;&nbsp;key&nbsp;specifies&nbsp;if&nbsp;the&nbsp;entry&nbsp;is&nbsp;an&nbsp;application&nbsp;(type&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;Desktop&nbsp;Entry&nbsp;Keys)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;abuse&nbsp;this&nbsp;feature&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">1),&nbsp;link&nbsp;(type&nbsp;2)&nbsp;or&nbsp;directory&nbsp;(type&nbsp;3).&nbsp;The&nbsp;&lt;code&gt;Name&lt;/cod</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;establish&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;path&nbsp;to&nbsp;a&nbsp;malicious&nbsp;binar</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&gt;&nbsp;key&nbsp;indicates&nbsp;an&nbsp;arbitrary&nbsp;name&nbsp;assigned&nbsp;by&nbsp;the&nbsp;creator&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;or&nbsp;command&nbsp;to&nbsp;the&nbsp;`Exec`&nbsp;directive&nbsp;in&nbsp;the&nbsp;`.desktop`&nbsp;confi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nd&nbsp;the&nbsp;&lt;code&gt;Exec&lt;/code&gt;&nbsp;key&nbsp;indicates&nbsp;the&nbsp;application&nbsp;and&nbsp;c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">guration&nbsp;file.&nbsp;When&nbsp;the&nbsp;user\u2019s&nbsp;desktop&nbsp;environment&nbsp;is&nbsp;loaded</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ommand&nbsp;line&nbsp;arguments&nbsp;to&nbsp;execute.(Citation:&nbsp;Free&nbsp;Desktop&nbsp;Ent</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;at&nbsp;user&nbsp;login,&nbsp;the&nbsp;`.desktop`&nbsp;files&nbsp;located&nbsp;in&nbsp;the&nbsp;XDG&nbsp;Auto</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&nbsp;Keys)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;to&nbsp;maint</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">start&nbsp;directories&nbsp;are&nbsp;automatically&nbsp;executed.&nbsp;System-wide&nbsp;Au</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ain&nbsp;persistence&nbsp;by&nbsp;executing&nbsp;malicious&nbsp;commands&nbsp;and&nbsp;payloads</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tostart&nbsp;entries&nbsp;are&nbsp;located&nbsp;in&nbsp;the&nbsp;`/etc/xdg/autostart`&nbsp;dire</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;such&nbsp;as&nbsp;remote&nbsp;access&nbsp;tools,&nbsp;during&nbsp;the&nbsp;startup&nbsp;of&nbsp;a&nbsp;deskt</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ctory&nbsp;while&nbsp;the&nbsp;user&nbsp;entries&nbsp;are&nbsp;located&nbsp;in&nbsp;the&nbsp;`~/.config/a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">op&nbsp;environment.&nbsp;Commands&nbsp;included&nbsp;in&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;w</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">utostart`&nbsp;directory.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;combine&nbsp;this&nbsp;technique</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ith&nbsp;execute&nbsp;after&nbsp;user&nbsp;logon&nbsp;in&nbsp;the&nbsp;context&nbsp;of&nbsp;the&nbsp;currently</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;with&nbsp;[Masquerading](https://attack.mitre.org/techniques/T10</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;logged&nbsp;on&nbsp;user.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;[Masquerading](htt</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">36)&nbsp;to&nbsp;blend&nbsp;malicious&nbsp;Autostart&nbsp;entries&nbsp;with&nbsp;legitimate&nbsp;pro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ps://attack.mitre.org/techniques/T1036)&nbsp;to&nbsp;make&nbsp;XDG&nbsp;autostar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">grams.(Citation:&nbsp;Red&nbsp;Canary&nbsp;Netwire&nbsp;Linux&nbsp;2022)</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">t&nbsp;entries&nbsp;look&nbsp;as&nbsp;if&nbsp;they&nbsp;are&nbsp;associated&nbsp;with&nbsp;legitimate&nbsp;pro</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">grams.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to39__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to39__0\"><a href=\"#difflib_chg_to39__top\">t</a></td><td class=\"diff_header\" id=\"from39_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;modify&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;to&nbsp;execute&nbsp;prog</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to39__top\">t</a></td><td class=\"diff_header\" id=\"to39_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;add&nbsp;or&nbsp;modify&nbsp;XDG&nbsp;Autostart&nbsp;Entries&nbsp;to&nbsp;execu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rams&nbsp;or&nbsp;commands&nbsp;during&nbsp;system&nbsp;boot.&nbsp;Linux&nbsp;desktop&nbsp;environme</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">te&nbsp;malicious&nbsp;programs&nbsp;or&nbsp;commands&nbsp;when&nbsp;a&nbsp;user\u2019s&nbsp;desktop&nbsp;envi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nts&nbsp;that&nbsp;are&nbsp;XDG&nbsp;compliant&nbsp;implement&nbsp;functionality&nbsp;for&nbsp;XDG&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ronment&nbsp;is&nbsp;loaded&nbsp;at&nbsp;login.&nbsp;XDG&nbsp;Autostart&nbsp;entries&nbsp;are&nbsp;availa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">utostart&nbsp;entries.&nbsp;These&nbsp;entries&nbsp;will&nbsp;allow&nbsp;an&nbsp;application&nbsp;to</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ble&nbsp;for&nbsp;any&nbsp;XDG-compliant&nbsp;Linux&nbsp;system.&nbsp;XDG&nbsp;Autostart&nbsp;entrie</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;automatically&nbsp;start&nbsp;during&nbsp;the&nbsp;startup&nbsp;of&nbsp;a&nbsp;desktop&nbsp;environ</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;use&nbsp;Desktop&nbsp;Entry&nbsp;files&nbsp;(`.desktop`)&nbsp;to&nbsp;configure&nbsp;the&nbsp;user</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ment&nbsp;after&nbsp;user&nbsp;logon.&nbsp;By&nbsp;default,&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;are</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">\u2019s&nbsp;desktop&nbsp;environment&nbsp;upon&nbsp;user&nbsp;login.&nbsp;These&nbsp;configuration&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;stored&nbsp;within&nbsp;the&nbsp;&lt;code&gt;/etc/xdg/autostart&lt;/code&gt;&nbsp;or&nbsp;&lt;code&gt;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">files&nbsp;determine&nbsp;what&nbsp;applications&nbsp;launch&nbsp;upon&nbsp;user&nbsp;login,&nbsp;de</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">~/.config/autostart&lt;/code&gt;&nbsp;directories&nbsp;and&nbsp;have&nbsp;a&nbsp;.desktop&nbsp;f</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">fine&nbsp;associated&nbsp;applications&nbsp;to&nbsp;open&nbsp;specific&nbsp;file&nbsp;types,&nbsp;an</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ile&nbsp;extension.(Citation:&nbsp;Free&nbsp;Desktop&nbsp;Application&nbsp;Autostart&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;define&nbsp;applications&nbsp;used&nbsp;to&nbsp;open&nbsp;removable&nbsp;media.(Citation</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Feb&nbsp;2006)&nbsp;&nbsp;Within&nbsp;an&nbsp;XDG&nbsp;autostart&nbsp;entry&nbsp;file,&nbsp;the&nbsp;&lt;code&gt;Typ</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">:&nbsp;Free&nbsp;Desktop&nbsp;Application&nbsp;Autostart&nbsp;Feb&nbsp;2006)(Citation:&nbsp;Fre</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&lt;/code&gt;&nbsp;key&nbsp;specifies&nbsp;if&nbsp;the&nbsp;entry&nbsp;is&nbsp;an&nbsp;application&nbsp;(type&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;Desktop&nbsp;Entry&nbsp;Keys)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;abuse&nbsp;this&nbsp;feature&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">1),&nbsp;link&nbsp;(type&nbsp;2)&nbsp;or&nbsp;directory&nbsp;(type&nbsp;3).&nbsp;The&nbsp;&lt;code&gt;Name&lt;/cod</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;establish&nbsp;persistence&nbsp;by&nbsp;adding&nbsp;a&nbsp;path&nbsp;to&nbsp;a&nbsp;malicious&nbsp;binar</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&gt;&nbsp;key&nbsp;indicates&nbsp;an&nbsp;arbitrary&nbsp;name&nbsp;assigned&nbsp;by&nbsp;the&nbsp;creator&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;or&nbsp;command&nbsp;to&nbsp;the&nbsp;`Exec`&nbsp;directive&nbsp;in&nbsp;the&nbsp;`.desktop`&nbsp;confi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nd&nbsp;the&nbsp;&lt;code&gt;Exec&lt;/code&gt;&nbsp;key&nbsp;indicates&nbsp;the&nbsp;application&nbsp;and&nbsp;c</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">guration&nbsp;file.&nbsp;When&nbsp;the&nbsp;user\u2019s&nbsp;desktop&nbsp;environment&nbsp;is&nbsp;loaded</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ommand&nbsp;line&nbsp;arguments&nbsp;to&nbsp;execute.(Citation:&nbsp;Free&nbsp;Desktop&nbsp;Ent</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;at&nbsp;user&nbsp;login,&nbsp;the&nbsp;`.desktop`&nbsp;files&nbsp;located&nbsp;in&nbsp;the&nbsp;XDG&nbsp;Auto</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&nbsp;Keys)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;to&nbsp;maint</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">start&nbsp;directories&nbsp;are&nbsp;automatically&nbsp;executed.&nbsp;System-wide&nbsp;Au</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ain&nbsp;persistence&nbsp;by&nbsp;executing&nbsp;malicious&nbsp;commands&nbsp;and&nbsp;payloads</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tostart&nbsp;entries&nbsp;are&nbsp;located&nbsp;in&nbsp;the&nbsp;`/etc/xdg/autostart`&nbsp;dire</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;such&nbsp;as&nbsp;remote&nbsp;access&nbsp;tools,&nbsp;during&nbsp;the&nbsp;startup&nbsp;of&nbsp;a&nbsp;deskt</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ctory&nbsp;while&nbsp;the&nbsp;user&nbsp;entries&nbsp;are&nbsp;located&nbsp;in&nbsp;the&nbsp;`~/.config/a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">op&nbsp;environment.&nbsp;Commands&nbsp;included&nbsp;in&nbsp;XDG&nbsp;autostart&nbsp;entries&nbsp;w</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">utostart`&nbsp;directory.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;combine&nbsp;this&nbsp;technique</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ith&nbsp;execute&nbsp;after&nbsp;user&nbsp;logon&nbsp;in&nbsp;the&nbsp;context&nbsp;of&nbsp;the&nbsp;currently</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;with&nbsp;[Masquerading](https://attack.mitre.org/techniques/T10</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;logged&nbsp;on&nbsp;user.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;[Masquerading](htt</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">36)&nbsp;to&nbsp;blend&nbsp;malicious&nbsp;Autostart&nbsp;entries&nbsp;with&nbsp;legitimate&nbsp;pro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ps://attack.mitre.org/techniques/T1036)&nbsp;to&nbsp;make&nbsp;XDG&nbsp;autostar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">grams.(Citation:&nbsp;Red&nbsp;Canary&nbsp;Netwire&nbsp;Linux&nbsp;2022)</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">t&nbsp;entries&nbsp;look&nbsp;as&nbsp;if&nbsp;they&nbsp;are&nbsp;associated&nbsp;with&nbsp;legitimate&nbsp;pro</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">grams.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -3648,7 +3648,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 04:18:40.956000+00:00\", \"old_value\": \"2021-10-19 03:18:43.648000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\\n\\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary\\u2019s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\\n\\nSince these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\", \"old_value\": \"Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\\n\\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\\n \\n-Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\\n+Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary\\u2019s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\\n+\\n+Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Unit42 Banking Trojans Hooking 2022\", \"description\": \"Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.\", \"url\": \"https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\"}, \"root['external_references'][2]\": {\"source_name\": \"ESET FontOnLake Analysis 2021\", \"description\": \"Vladislav Hr\\u010dka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.\", \"url\": \"https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf\"}}}",
                     "previous_version": "1.0",
                     "version_change": "1.0 \u2192 1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to11__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to11__0\"><a href=\"#difflib_chg_to11__top\">t</a></td><td class=\"diff_header\" id=\"from11_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;modify&nbsp;client&nbsp;software&nbsp;binaries&nbsp;to&nbsp;establish</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to11__top\">t</a></td><td class=\"diff_header\" id=\"to11_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;modify&nbsp;client&nbsp;software&nbsp;binaries&nbsp;to&nbsp;establish</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;persistent&nbsp;access&nbsp;to&nbsp;systems.&nbsp;Client&nbsp;software&nbsp;enables&nbsp;users</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;persistent&nbsp;access&nbsp;to&nbsp;systems.&nbsp;Client&nbsp;software&nbsp;enables&nbsp;users</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;to&nbsp;access&nbsp;services&nbsp;provided&nbsp;by&nbsp;a&nbsp;server.&nbsp;Common&nbsp;client&nbsp;soft</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;to&nbsp;access&nbsp;services&nbsp;provided&nbsp;by&nbsp;a&nbsp;server.&nbsp;Common&nbsp;client&nbsp;soft</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ware&nbsp;types&nbsp;are&nbsp;SSH&nbsp;clients,&nbsp;FTP&nbsp;clients,&nbsp;email&nbsp;clients,&nbsp;and&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ware&nbsp;types&nbsp;are&nbsp;SSH&nbsp;clients,&nbsp;FTP&nbsp;clients,&nbsp;email&nbsp;clients,&nbsp;and&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">web&nbsp;browsers.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;modifications&nbsp;to&nbsp;client&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">web&nbsp;browsers.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;modifications&nbsp;to&nbsp;client&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">software&nbsp;binaries&nbsp;to&nbsp;carry&nbsp;out&nbsp;malicious&nbsp;tasks&nbsp;when&nbsp;those&nbsp;ap</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">software&nbsp;binaries&nbsp;to&nbsp;carry&nbsp;out&nbsp;malicious&nbsp;tasks&nbsp;when&nbsp;those&nbsp;ap</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">plications&nbsp;are&nbsp;in&nbsp;use.&nbsp;For&nbsp;example,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;copy&nbsp;so</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">plications&nbsp;are&nbsp;in&nbsp;use.&nbsp;For&nbsp;example,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;copy&nbsp;so</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">urce&nbsp;code&nbsp;for&nbsp;the&nbsp;client&nbsp;software,&nbsp;add&nbsp;a&nbsp;backdoor,&nbsp;compile&nbsp;f</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urce&nbsp;code&nbsp;for&nbsp;the&nbsp;client&nbsp;software,&nbsp;add&nbsp;a&nbsp;backdoor,&nbsp;compile&nbsp;f</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">or&nbsp;the&nbsp;target,&nbsp;and&nbsp;replace&nbsp;the&nbsp;legitimate&nbsp;application&nbsp;binary</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">or&nbsp;the&nbsp;target,&nbsp;and&nbsp;replace&nbsp;the&nbsp;legitimate&nbsp;application&nbsp;binary</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;(or&nbsp;support&nbsp;files)&nbsp;with&nbsp;the&nbsp;backdoored&nbsp;one.&nbsp;Since&nbsp;these&nbsp;app</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;(or&nbsp;support&nbsp;files)&nbsp;with&nbsp;the&nbsp;backdoored&nbsp;one.&nbsp;An&nbsp;adversary&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lications&nbsp;may&nbsp;be&nbsp;routinely&nbsp;executed&nbsp;by&nbsp;the&nbsp;user,&nbsp;the&nbsp;adversa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;also&nbsp;modify&nbsp;an&nbsp;existing&nbsp;binary&nbsp;by&nbsp;patching&nbsp;in&nbsp;malicious&nbsp;fu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&nbsp;can&nbsp;leverage&nbsp;this&nbsp;for&nbsp;persistent&nbsp;access&nbsp;to&nbsp;the&nbsp;host.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nctionality&nbsp;(e.g.,&nbsp;IAT&nbsp;Hooking/Entry&nbsp;point&nbsp;patching)(Citatio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">n:&nbsp;Unit42&nbsp;Banking&nbsp;Trojans&nbsp;Hooking&nbsp;2022)&nbsp;prior&nbsp;to&nbsp;the&nbsp;binary\u2019</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;legitimate&nbsp;execution.&nbsp;For&nbsp;example,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;modify</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;the&nbsp;entry&nbsp;point&nbsp;of&nbsp;a&nbsp;binary&nbsp;to&nbsp;point&nbsp;to&nbsp;malicious&nbsp;code&nbsp;patc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hed&nbsp;in&nbsp;by&nbsp;the&nbsp;adversary&nbsp;before&nbsp;resuming&nbsp;normal&nbsp;execution&nbsp;flo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">w.(Citation:&nbsp;ESET&nbsp;FontOnLake&nbsp;Analysis&nbsp;2021)&nbsp;&nbsp;Since&nbsp;these&nbsp;app</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lications&nbsp;may&nbsp;be&nbsp;routinely&nbsp;executed&nbsp;by&nbsp;the&nbsp;user,&nbsp;the&nbsp;adversa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ry&nbsp;can&nbsp;leverage&nbsp;this&nbsp;for&nbsp;persistent&nbsp;access&nbsp;to&nbsp;the&nbsp;host.</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to9__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to9__0\"><a href=\"#difflib_chg_to9__top\">t</a></td><td class=\"diff_header\" id=\"from9_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;modify&nbsp;client&nbsp;software&nbsp;binaries&nbsp;to&nbsp;establish</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to9__top\">t</a></td><td class=\"diff_header\" id=\"to9_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;modify&nbsp;client&nbsp;software&nbsp;binaries&nbsp;to&nbsp;establish</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;persistent&nbsp;access&nbsp;to&nbsp;systems.&nbsp;Client&nbsp;software&nbsp;enables&nbsp;users</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;persistent&nbsp;access&nbsp;to&nbsp;systems.&nbsp;Client&nbsp;software&nbsp;enables&nbsp;users</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;to&nbsp;access&nbsp;services&nbsp;provided&nbsp;by&nbsp;a&nbsp;server.&nbsp;Common&nbsp;client&nbsp;soft</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;to&nbsp;access&nbsp;services&nbsp;provided&nbsp;by&nbsp;a&nbsp;server.&nbsp;Common&nbsp;client&nbsp;soft</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ware&nbsp;types&nbsp;are&nbsp;SSH&nbsp;clients,&nbsp;FTP&nbsp;clients,&nbsp;email&nbsp;clients,&nbsp;and&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ware&nbsp;types&nbsp;are&nbsp;SSH&nbsp;clients,&nbsp;FTP&nbsp;clients,&nbsp;email&nbsp;clients,&nbsp;and&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">web&nbsp;browsers.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;modifications&nbsp;to&nbsp;client&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">web&nbsp;browsers.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;modifications&nbsp;to&nbsp;client&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">software&nbsp;binaries&nbsp;to&nbsp;carry&nbsp;out&nbsp;malicious&nbsp;tasks&nbsp;when&nbsp;those&nbsp;ap</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">software&nbsp;binaries&nbsp;to&nbsp;carry&nbsp;out&nbsp;malicious&nbsp;tasks&nbsp;when&nbsp;those&nbsp;ap</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">plications&nbsp;are&nbsp;in&nbsp;use.&nbsp;For&nbsp;example,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;copy&nbsp;so</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">plications&nbsp;are&nbsp;in&nbsp;use.&nbsp;For&nbsp;example,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;copy&nbsp;so</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">urce&nbsp;code&nbsp;for&nbsp;the&nbsp;client&nbsp;software,&nbsp;add&nbsp;a&nbsp;backdoor,&nbsp;compile&nbsp;f</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urce&nbsp;code&nbsp;for&nbsp;the&nbsp;client&nbsp;software,&nbsp;add&nbsp;a&nbsp;backdoor,&nbsp;compile&nbsp;f</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">or&nbsp;the&nbsp;target,&nbsp;and&nbsp;replace&nbsp;the&nbsp;legitimate&nbsp;application&nbsp;binary</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">or&nbsp;the&nbsp;target,&nbsp;and&nbsp;replace&nbsp;the&nbsp;legitimate&nbsp;application&nbsp;binary</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;(or&nbsp;support&nbsp;files)&nbsp;with&nbsp;the&nbsp;backdoored&nbsp;one.&nbsp;Since&nbsp;these&nbsp;app</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;(or&nbsp;support&nbsp;files)&nbsp;with&nbsp;the&nbsp;backdoored&nbsp;one.&nbsp;An&nbsp;adversary&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lications&nbsp;may&nbsp;be&nbsp;routinely&nbsp;executed&nbsp;by&nbsp;the&nbsp;user,&nbsp;the&nbsp;adversa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;also&nbsp;modify&nbsp;an&nbsp;existing&nbsp;binary&nbsp;by&nbsp;patching&nbsp;in&nbsp;malicious&nbsp;fu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&nbsp;can&nbsp;leverage&nbsp;this&nbsp;for&nbsp;persistent&nbsp;access&nbsp;to&nbsp;the&nbsp;host.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nctionality&nbsp;(e.g.,&nbsp;IAT&nbsp;Hooking/Entry&nbsp;point&nbsp;patching)(Citatio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">n:&nbsp;Unit42&nbsp;Banking&nbsp;Trojans&nbsp;Hooking&nbsp;2022)&nbsp;prior&nbsp;to&nbsp;the&nbsp;binary\u2019</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;legitimate&nbsp;execution.&nbsp;For&nbsp;example,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;modify</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;the&nbsp;entry&nbsp;point&nbsp;of&nbsp;a&nbsp;binary&nbsp;to&nbsp;point&nbsp;to&nbsp;malicious&nbsp;code&nbsp;patc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hed&nbsp;in&nbsp;by&nbsp;the&nbsp;adversary&nbsp;before&nbsp;resuming&nbsp;normal&nbsp;execution&nbsp;flo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">w.(Citation:&nbsp;ESET&nbsp;FontOnLake&nbsp;Analysis&nbsp;2021)&nbsp;&nbsp;Since&nbsp;these&nbsp;app</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lications&nbsp;may&nbsp;be&nbsp;routinely&nbsp;executed&nbsp;by&nbsp;the&nbsp;user,&nbsp;the&nbsp;adversa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ry&nbsp;can&nbsp;leverage&nbsp;this&nbsp;for&nbsp;persistent&nbsp;access&nbsp;to&nbsp;the&nbsp;host.</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1045: Code Signing"
@@ -3774,7 +3774,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 01:10:49.053000+00:00\", \"old_value\": \"2023-04-12 13:32:15.704000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\\n\\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)\\n\\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)\", \"old_value\": \"Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\\n\\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)\\n\\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\\n \\n-Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)\\n+Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)\\n \\n By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Sysdig Proxyjacking\", \"description\": \"Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.\", \"url\": \"https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\"}, \"root['x_mitre_contributors'][2]\": \"Goldstein Menachem\"}}",
                     "previous_version": "1.3",
                     "version_change": "1.3 \u2192 1.4",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to13__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to13__0\"><a href=\"#difflib_chg_to13__top\">t</a></td><td class=\"diff_header\" id=\"from13_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;compromise&nbsp;third-party&nbsp;infrastructure&nbsp;that&nbsp;c</td><td class=\"diff_next\"><a href=\"#difflib_chg_to13__top\">t</a></td><td class=\"diff_header\" id=\"to13_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;compromise&nbsp;third-party&nbsp;infrastructure&nbsp;that&nbsp;c</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;Infrastructure&nbsp;solutions&nbsp;includ</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;Infrastructure&nbsp;solutions&nbsp;includ</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;domains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;an</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;domains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;an</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;DNS&nbsp;services.&nbsp;Instead&nbsp;of&nbsp;buying,&nbsp;leasing,&nbsp;or&nbsp;renting&nbsp;infra</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;DNS&nbsp;services.&nbsp;Instead&nbsp;of&nbsp;buying,&nbsp;leasing,&nbsp;or&nbsp;renting&nbsp;infra</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">structure&nbsp;an&nbsp;adversary&nbsp;may&nbsp;compromise&nbsp;infrastructure&nbsp;and&nbsp;use</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">structure&nbsp;an&nbsp;adversary&nbsp;may&nbsp;compromise&nbsp;infrastructure&nbsp;and&nbsp;use</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;it&nbsp;during&nbsp;other&nbsp;phases&nbsp;of&nbsp;the&nbsp;adversary&nbsp;lifecycle.(Citation</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;it&nbsp;during&nbsp;other&nbsp;phases&nbsp;of&nbsp;the&nbsp;adversary&nbsp;lifecycle.(Citation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;Mandiant&nbsp;APT1)(Citation:&nbsp;ICANNDomainNameHijacking)(Citatio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;Mandiant&nbsp;APT1)(Citation:&nbsp;ICANNDomainNameHijacking)(Citatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;Talos&nbsp;DNSpionage&nbsp;Nov&nbsp;2018)(Citation:&nbsp;FireEye&nbsp;EPS&nbsp;Awakens&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;Talos&nbsp;DNSpionage&nbsp;Nov&nbsp;2018)(Citation:&nbsp;FireEye&nbsp;EPS&nbsp;Awakens&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Part&nbsp;2)&nbsp;Additionally,&nbsp;adversaries&nbsp;may&nbsp;compromise&nbsp;numerous&nbsp;ma</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Part&nbsp;2)&nbsp;Additionally,&nbsp;adversaries&nbsp;may&nbsp;compromise&nbsp;numerous&nbsp;ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">chines&nbsp;to&nbsp;form&nbsp;a&nbsp;botnet&nbsp;they&nbsp;can&nbsp;leverage.&nbsp;&nbsp;Use&nbsp;of&nbsp;compromis</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">chines&nbsp;to&nbsp;form&nbsp;a&nbsp;botnet&nbsp;they&nbsp;can&nbsp;leverage.&nbsp;&nbsp;Use&nbsp;of&nbsp;compromis</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;infrastructure&nbsp;allows&nbsp;adversaries&nbsp;to&nbsp;stage,&nbsp;launch,&nbsp;and&nbsp;e</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;infrastructure&nbsp;allows&nbsp;adversaries&nbsp;to&nbsp;stage,&nbsp;launch,&nbsp;and&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xecute&nbsp;operations.&nbsp;Compromised&nbsp;infrastructure&nbsp;can&nbsp;help&nbsp;adver</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xecute&nbsp;operations.&nbsp;Compromised&nbsp;infrastructure&nbsp;can&nbsp;help&nbsp;adver</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sary&nbsp;operations&nbsp;blend&nbsp;in&nbsp;with&nbsp;traffic&nbsp;that&nbsp;is&nbsp;seen&nbsp;as&nbsp;normal</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sary&nbsp;operations&nbsp;blend&nbsp;in&nbsp;with&nbsp;traffic&nbsp;that&nbsp;is&nbsp;seen&nbsp;as&nbsp;normal</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;such&nbsp;as&nbsp;contact&nbsp;with&nbsp;high&nbsp;reputation&nbsp;or&nbsp;trusted&nbsp;sites.&nbsp;For</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;such&nbsp;as&nbsp;contact&nbsp;with&nbsp;high&nbsp;reputation&nbsp;or&nbsp;trusted&nbsp;sites.&nbsp;For</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;leverage&nbsp;compromised&nbsp;infrastructur</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;leverage&nbsp;compromised&nbsp;infrastructur</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;(potentially&nbsp;also&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;[Digital&nbsp;Certificate</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;(potentially&nbsp;also&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;[Digital&nbsp;Certificate</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s](https://attack.mitre.org/techniques/T1588/004))&nbsp;to&nbsp;furthe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s](https://attack.mitre.org/techniques/T1588/004))&nbsp;to&nbsp;furthe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;blend&nbsp;in&nbsp;and&nbsp;support&nbsp;staged&nbsp;information&nbsp;gathering&nbsp;and/or&nbsp;[</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;blend&nbsp;in&nbsp;and&nbsp;support&nbsp;staged&nbsp;information&nbsp;gathering&nbsp;and/or&nbsp;[</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Phishing](https://attack.mitre.org/techniques/T1566)&nbsp;campaig</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Phishing](https://attack.mitre.org/techniques/T1566)&nbsp;campaig</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ns.(Citation:&nbsp;FireEye&nbsp;DNS&nbsp;Hijack&nbsp;2019)&nbsp;Additionally,&nbsp;adversa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ns.(Citation:&nbsp;FireEye&nbsp;DNS&nbsp;Hijack&nbsp;2019)&nbsp;Additionally,&nbsp;adversa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ries&nbsp;may&nbsp;also&nbsp;compromise&nbsp;infrastructure&nbsp;to&nbsp;support&nbsp;[Proxy](h</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ries&nbsp;may&nbsp;also&nbsp;compromise&nbsp;infrastructure&nbsp;to&nbsp;support&nbsp;[Proxy](h</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1090).(Citation:&nbsp;amnesty</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1090)<span class=\"diff_add\">&nbsp;and/or&nbsp;proxyware&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">_nso_pegasus)&nbsp;&nbsp;By&nbsp;using&nbsp;compromised&nbsp;infrastructure,&nbsp;adversar</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ervices</span>.(Citation:&nbsp;amnesty_nso_pegasus)<span class=\"diff_add\">(Citation:&nbsp;Sysdig&nbsp;Pro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ies&nbsp;may&nbsp;make&nbsp;it&nbsp;difficult&nbsp;to&nbsp;tie&nbsp;their&nbsp;actions&nbsp;back&nbsp;to&nbsp;them.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xyjacking)</span>&nbsp;&nbsp;By&nbsp;using&nbsp;compromised&nbsp;infrastructure,&nbsp;adversaries</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Prior&nbsp;to&nbsp;targeting,&nbsp;adversaries&nbsp;may&nbsp;compromise&nbsp;the&nbsp;infrastr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;may&nbsp;make&nbsp;it&nbsp;difficult&nbsp;to&nbsp;tie&nbsp;their&nbsp;actions&nbsp;back&nbsp;to&nbsp;them.&nbsp;Pr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ucture&nbsp;of&nbsp;other&nbsp;adversaries.(Citation:&nbsp;NSA&nbsp;NCSC&nbsp;Turla&nbsp;OilRig</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ior&nbsp;to&nbsp;targeting,&nbsp;adversaries&nbsp;may&nbsp;compromise&nbsp;the&nbsp;infrastruct</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ure&nbsp;of&nbsp;other&nbsp;adversaries.(Citation:&nbsp;NSA&nbsp;NCSC&nbsp;Turla&nbsp;OilRig)</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to31__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to31__0\"><a href=\"#difflib_chg_to31__top\">t</a></td><td class=\"diff_header\" id=\"from31_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;compromise&nbsp;third-party&nbsp;infrastructure&nbsp;that&nbsp;c</td><td class=\"diff_next\"><a href=\"#difflib_chg_to31__top\">t</a></td><td class=\"diff_header\" id=\"to31_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;compromise&nbsp;third-party&nbsp;infrastructure&nbsp;that&nbsp;c</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;Infrastructure&nbsp;solutions&nbsp;includ</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">an&nbsp;be&nbsp;used&nbsp;during&nbsp;targeting.&nbsp;Infrastructure&nbsp;solutions&nbsp;includ</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;domains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;an</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;physical&nbsp;or&nbsp;cloud&nbsp;servers,&nbsp;domains,&nbsp;and&nbsp;third-party&nbsp;web&nbsp;an</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;DNS&nbsp;services.&nbsp;Instead&nbsp;of&nbsp;buying,&nbsp;leasing,&nbsp;or&nbsp;renting&nbsp;infra</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;DNS&nbsp;services.&nbsp;Instead&nbsp;of&nbsp;buying,&nbsp;leasing,&nbsp;or&nbsp;renting&nbsp;infra</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">structure&nbsp;an&nbsp;adversary&nbsp;may&nbsp;compromise&nbsp;infrastructure&nbsp;and&nbsp;use</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">structure&nbsp;an&nbsp;adversary&nbsp;may&nbsp;compromise&nbsp;infrastructure&nbsp;and&nbsp;use</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;it&nbsp;during&nbsp;other&nbsp;phases&nbsp;of&nbsp;the&nbsp;adversary&nbsp;lifecycle.(Citation</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;it&nbsp;during&nbsp;other&nbsp;phases&nbsp;of&nbsp;the&nbsp;adversary&nbsp;lifecycle.(Citation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;Mandiant&nbsp;APT1)(Citation:&nbsp;ICANNDomainNameHijacking)(Citatio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;Mandiant&nbsp;APT1)(Citation:&nbsp;ICANNDomainNameHijacking)(Citatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;Talos&nbsp;DNSpionage&nbsp;Nov&nbsp;2018)(Citation:&nbsp;FireEye&nbsp;EPS&nbsp;Awakens&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;Talos&nbsp;DNSpionage&nbsp;Nov&nbsp;2018)(Citation:&nbsp;FireEye&nbsp;EPS&nbsp;Awakens&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Part&nbsp;2)&nbsp;Additionally,&nbsp;adversaries&nbsp;may&nbsp;compromise&nbsp;numerous&nbsp;ma</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Part&nbsp;2)&nbsp;Additionally,&nbsp;adversaries&nbsp;may&nbsp;compromise&nbsp;numerous&nbsp;ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">chines&nbsp;to&nbsp;form&nbsp;a&nbsp;botnet&nbsp;they&nbsp;can&nbsp;leverage.&nbsp;&nbsp;Use&nbsp;of&nbsp;compromis</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">chines&nbsp;to&nbsp;form&nbsp;a&nbsp;botnet&nbsp;they&nbsp;can&nbsp;leverage.&nbsp;&nbsp;Use&nbsp;of&nbsp;compromis</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;infrastructure&nbsp;allows&nbsp;adversaries&nbsp;to&nbsp;stage,&nbsp;launch,&nbsp;and&nbsp;e</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;infrastructure&nbsp;allows&nbsp;adversaries&nbsp;to&nbsp;stage,&nbsp;launch,&nbsp;and&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xecute&nbsp;operations.&nbsp;Compromised&nbsp;infrastructure&nbsp;can&nbsp;help&nbsp;adver</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xecute&nbsp;operations.&nbsp;Compromised&nbsp;infrastructure&nbsp;can&nbsp;help&nbsp;adver</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sary&nbsp;operations&nbsp;blend&nbsp;in&nbsp;with&nbsp;traffic&nbsp;that&nbsp;is&nbsp;seen&nbsp;as&nbsp;normal</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sary&nbsp;operations&nbsp;blend&nbsp;in&nbsp;with&nbsp;traffic&nbsp;that&nbsp;is&nbsp;seen&nbsp;as&nbsp;normal</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;such&nbsp;as&nbsp;contact&nbsp;with&nbsp;high&nbsp;reputation&nbsp;or&nbsp;trusted&nbsp;sites.&nbsp;For</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;such&nbsp;as&nbsp;contact&nbsp;with&nbsp;high&nbsp;reputation&nbsp;or&nbsp;trusted&nbsp;sites.&nbsp;For</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;leverage&nbsp;compromised&nbsp;infrastructur</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;example,&nbsp;adversaries&nbsp;may&nbsp;leverage&nbsp;compromised&nbsp;infrastructur</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;(potentially&nbsp;also&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;[Digital&nbsp;Certificate</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;(potentially&nbsp;also&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;[Digital&nbsp;Certificate</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s](https://attack.mitre.org/techniques/T1588/004))&nbsp;to&nbsp;furthe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s](https://attack.mitre.org/techniques/T1588/004))&nbsp;to&nbsp;furthe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;blend&nbsp;in&nbsp;and&nbsp;support&nbsp;staged&nbsp;information&nbsp;gathering&nbsp;and/or&nbsp;[</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;blend&nbsp;in&nbsp;and&nbsp;support&nbsp;staged&nbsp;information&nbsp;gathering&nbsp;and/or&nbsp;[</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Phishing](https://attack.mitre.org/techniques/T1566)&nbsp;campaig</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Phishing](https://attack.mitre.org/techniques/T1566)&nbsp;campaig</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ns.(Citation:&nbsp;FireEye&nbsp;DNS&nbsp;Hijack&nbsp;2019)&nbsp;Additionally,&nbsp;adversa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ns.(Citation:&nbsp;FireEye&nbsp;DNS&nbsp;Hijack&nbsp;2019)&nbsp;Additionally,&nbsp;adversa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ries&nbsp;may&nbsp;also&nbsp;compromise&nbsp;infrastructure&nbsp;to&nbsp;support&nbsp;[Proxy](h</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ries&nbsp;may&nbsp;also&nbsp;compromise&nbsp;infrastructure&nbsp;to&nbsp;support&nbsp;[Proxy](h</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1090).(Citation:&nbsp;amnesty</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1090)<span class=\"diff_add\">&nbsp;and/or&nbsp;proxyware&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">_nso_pegasus)&nbsp;&nbsp;By&nbsp;using&nbsp;compromised&nbsp;infrastructure,&nbsp;adversar</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ervices</span>.(Citation:&nbsp;amnesty_nso_pegasus)<span class=\"diff_add\">(Citation:&nbsp;Sysdig&nbsp;Pro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ies&nbsp;may&nbsp;make&nbsp;it&nbsp;difficult&nbsp;to&nbsp;tie&nbsp;their&nbsp;actions&nbsp;back&nbsp;to&nbsp;them.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xyjacking)</span>&nbsp;&nbsp;By&nbsp;using&nbsp;compromised&nbsp;infrastructure,&nbsp;adversaries</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Prior&nbsp;to&nbsp;targeting,&nbsp;adversaries&nbsp;may&nbsp;compromise&nbsp;the&nbsp;infrastr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;may&nbsp;make&nbsp;it&nbsp;difficult&nbsp;to&nbsp;tie&nbsp;their&nbsp;actions&nbsp;back&nbsp;to&nbsp;them.&nbsp;Pr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ucture&nbsp;of&nbsp;other&nbsp;adversaries.(Citation:&nbsp;NSA&nbsp;NCSC&nbsp;Turla&nbsp;OilRig</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ior&nbsp;to&nbsp;targeting,&nbsp;adversaries&nbsp;may&nbsp;compromise&nbsp;the&nbsp;infrastruct</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ure&nbsp;of&nbsp;other&nbsp;adversaries.(Citation:&nbsp;NSA&nbsp;NCSC&nbsp;Turla&nbsp;OilRig)</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1056: Pre-compromise"
@@ -4110,7 +4110,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:40:37.995000+00:00\", \"old_value\": \"2023-04-12 23:23:35.209000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \\n\\nFor example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\\n\\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\", \"old_value\": \"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>.(Citation: cisco_username_cmd)\\n\\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>.(Citation: cisco_username_cmd)\\n+Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \\n+\\n+For example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\\n \\n Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Kubernetes Service Accounts Security\", \"description\": \"Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.\", \"url\": \"https://kubernetes.io/docs/concepts/security/service-accounts/\"}, \"root['x_mitre_platforms'][4]\": \"Containers\"}}",
                     "previous_version": "1.2",
                     "version_change": "1.2 \u2192 1.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to15__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to15__0\"><a href=\"#difflib_chg_to15__top\">t</a></td><td class=\"diff_header\" id=\"from15_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;create&nbsp;a&nbsp;local&nbsp;account&nbsp;to&nbsp;maintain&nbsp;access&nbsp;to</td><td class=\"diff_next\"><a href=\"#difflib_chg_to15__top\">t</a></td><td class=\"diff_header\" id=\"to15_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;create&nbsp;a&nbsp;local&nbsp;account&nbsp;to&nbsp;maintain&nbsp;access&nbsp;to</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;victim&nbsp;systems.&nbsp;Local&nbsp;accounts&nbsp;are&nbsp;those&nbsp;configured&nbsp;by&nbsp;an&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;victim&nbsp;systems.&nbsp;Local&nbsp;accounts&nbsp;are&nbsp;those&nbsp;configured&nbsp;by&nbsp;an&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rganization&nbsp;for&nbsp;use&nbsp;by&nbsp;users,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;f</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rganization&nbsp;for&nbsp;use&nbsp;by&nbsp;users,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;f</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;administration&nbsp;on&nbsp;a&nbsp;single&nbsp;system&nbsp;or&nbsp;service.&nbsp;<span class=\"diff_chg\">With&nbsp;a</span>&nbsp;suff</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;administration&nbsp;on&nbsp;a&nbsp;single&nbsp;system&nbsp;or&nbsp;service.&nbsp;<span class=\"diff_chg\">&nbsp;&nbsp;For&nbsp;examp</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">icient&nbsp;level&nbsp;of&nbsp;access,&nbsp;the&nbsp;&lt;code&gt;net&nbsp;user&nbsp;/add&lt;/code&gt;&nbsp;comma</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">le,&nbsp;with&nbsp;a</span>&nbsp;sufficient&nbsp;level&nbsp;of&nbsp;access,&nbsp;the<span class=\"diff_add\">&nbsp;Windows</span>&nbsp;&lt;code&gt;net</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nd&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;create&nbsp;a&nbsp;local&nbsp;account.&nbsp;On&nbsp;macOS&nbsp;systems&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;user&nbsp;/add&lt;/code&gt;&nbsp;command&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;create&nbsp;a&nbsp;local&nbsp;acco</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;&lt;code&gt;dscl&nbsp;-create&lt;/code&gt;&nbsp;command&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;create&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">unt.&nbsp;On&nbsp;macOS&nbsp;systems&nbsp;the&nbsp;&lt;code&gt;dscl&nbsp;-create&lt;/code&gt;&nbsp;command&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;local&nbsp;account.&nbsp;Local&nbsp;accounts&nbsp;may&nbsp;also&nbsp;be&nbsp;added&nbsp;to&nbsp;network&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">can&nbsp;be&nbsp;used&nbsp;to&nbsp;create&nbsp;a&nbsp;local&nbsp;account.&nbsp;Local&nbsp;accounts&nbsp;may&nbsp;al</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">devices,&nbsp;often&nbsp;via&nbsp;common&nbsp;[Network&nbsp;Device&nbsp;CLI](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">so&nbsp;be&nbsp;added&nbsp;to&nbsp;network&nbsp;devices,&nbsp;often&nbsp;via&nbsp;common&nbsp;[Network&nbsp;De</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1059/008)&nbsp;commands&nbsp;such&nbsp;as&nbsp;&lt;code&gt;use</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">vice&nbsp;CLI](https://attack.mitre.org/techniques/T1059/008)&nbsp;com</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rname&lt;/code&gt;.(Citation:&nbsp;cisco_username_cmd)<span class=\"diff_chg\">&nbsp;</span>&nbsp;S<span class=\"diff_chg\">uch&nbsp;accounts&nbsp;m</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mands&nbsp;such&nbsp;as&nbsp;&lt;code&gt;username&lt;/code&gt;<span class=\"diff_add\">,&nbsp;or&nbsp;to&nbsp;Kubernetes&nbsp;cluste</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ay&nbsp;be&nbsp;used&nbsp;to&nbsp;establish&nbsp;secondary&nbsp;credentialed&nbsp;access&nbsp;that&nbsp;d</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rs&nbsp;using&nbsp;the&nbsp;`kubectl`&nbsp;utility</span>.(Citation:&nbsp;cisco_username_cmd</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">o&nbsp;not</span>&nbsp;require&nbsp;persistent&nbsp;remote&nbsp;access&nbsp;tools&nbsp;to&nbsp;be&nbsp;deployed&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)<span class=\"diff_chg\">(Citation:&nbsp;Kubernetes</span>&nbsp;S<span class=\"diff_chg\">ervice&nbsp;Accounts&nbsp;Security)&nbsp;&nbsp;Such&nbsp;acco</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">on&nbsp;the&nbsp;system.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">unts&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;establish&nbsp;secondary&nbsp;credentialed&nbsp;access&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">that&nbsp;do&nbsp;not</span>&nbsp;require&nbsp;persistent&nbsp;remote&nbsp;access&nbsp;tools&nbsp;to&nbsp;be&nbsp;dep</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">loyed&nbsp;on&nbsp;the&nbsp;system.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to29__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to29__0\"><a href=\"#difflib_chg_to29__top\">t</a></td><td class=\"diff_header\" id=\"from29_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;create&nbsp;a&nbsp;local&nbsp;account&nbsp;to&nbsp;maintain&nbsp;access&nbsp;to</td><td class=\"diff_next\"><a href=\"#difflib_chg_to29__top\">t</a></td><td class=\"diff_header\" id=\"to29_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;create&nbsp;a&nbsp;local&nbsp;account&nbsp;to&nbsp;maintain&nbsp;access&nbsp;to</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;victim&nbsp;systems.&nbsp;Local&nbsp;accounts&nbsp;are&nbsp;those&nbsp;configured&nbsp;by&nbsp;an&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;victim&nbsp;systems.&nbsp;Local&nbsp;accounts&nbsp;are&nbsp;those&nbsp;configured&nbsp;by&nbsp;an&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rganization&nbsp;for&nbsp;use&nbsp;by&nbsp;users,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;f</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rganization&nbsp;for&nbsp;use&nbsp;by&nbsp;users,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;f</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;administration&nbsp;on&nbsp;a&nbsp;single&nbsp;system&nbsp;or&nbsp;service.&nbsp;<span class=\"diff_chg\">With&nbsp;a</span>&nbsp;suff</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;administration&nbsp;on&nbsp;a&nbsp;single&nbsp;system&nbsp;or&nbsp;service.&nbsp;<span class=\"diff_chg\">&nbsp;&nbsp;For&nbsp;examp</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">icient&nbsp;level&nbsp;of&nbsp;access,&nbsp;the&nbsp;&lt;code&gt;net&nbsp;user&nbsp;/add&lt;/code&gt;&nbsp;comma</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">le,&nbsp;with&nbsp;a</span>&nbsp;sufficient&nbsp;level&nbsp;of&nbsp;access,&nbsp;the<span class=\"diff_add\">&nbsp;Windows</span>&nbsp;&lt;code&gt;net</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nd&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;create&nbsp;a&nbsp;local&nbsp;account.&nbsp;On&nbsp;macOS&nbsp;systems&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;user&nbsp;/add&lt;/code&gt;&nbsp;command&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;create&nbsp;a&nbsp;local&nbsp;acco</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;&lt;code&gt;dscl&nbsp;-create&lt;/code&gt;&nbsp;command&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;create&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">unt.&nbsp;On&nbsp;macOS&nbsp;systems&nbsp;the&nbsp;&lt;code&gt;dscl&nbsp;-create&lt;/code&gt;&nbsp;command&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;local&nbsp;account.&nbsp;Local&nbsp;accounts&nbsp;may&nbsp;also&nbsp;be&nbsp;added&nbsp;to&nbsp;network&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">can&nbsp;be&nbsp;used&nbsp;to&nbsp;create&nbsp;a&nbsp;local&nbsp;account.&nbsp;Local&nbsp;accounts&nbsp;may&nbsp;al</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">devices,&nbsp;often&nbsp;via&nbsp;common&nbsp;[Network&nbsp;Device&nbsp;CLI](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">so&nbsp;be&nbsp;added&nbsp;to&nbsp;network&nbsp;devices,&nbsp;often&nbsp;via&nbsp;common&nbsp;[Network&nbsp;De</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1059/008)&nbsp;commands&nbsp;such&nbsp;as&nbsp;&lt;code&gt;use</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">vice&nbsp;CLI](https://attack.mitre.org/techniques/T1059/008)&nbsp;com</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rname&lt;/code&gt;.(Citation:&nbsp;cisco_username_cmd)<span class=\"diff_chg\">&nbsp;</span>&nbsp;S<span class=\"diff_chg\">uch&nbsp;accounts&nbsp;m</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mands&nbsp;such&nbsp;as&nbsp;&lt;code&gt;username&lt;/code&gt;<span class=\"diff_add\">,&nbsp;or&nbsp;to&nbsp;Kubernetes&nbsp;cluste</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ay&nbsp;be&nbsp;used&nbsp;to&nbsp;establish&nbsp;secondary&nbsp;credentialed&nbsp;access&nbsp;that&nbsp;d</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rs&nbsp;using&nbsp;the&nbsp;`kubectl`&nbsp;utility</span>.(Citation:&nbsp;cisco_username_cmd</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">o&nbsp;not</span>&nbsp;require&nbsp;persistent&nbsp;remote&nbsp;access&nbsp;tools&nbsp;to&nbsp;be&nbsp;deployed&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)<span class=\"diff_chg\">(Citation:&nbsp;Kubernetes</span>&nbsp;S<span class=\"diff_chg\">ervice&nbsp;Accounts&nbsp;Security)&nbsp;&nbsp;Such&nbsp;acco</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">on&nbsp;the&nbsp;system.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">unts&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;establish&nbsp;secondary&nbsp;credentialed&nbsp;access&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">that&nbsp;do&nbsp;not</span>&nbsp;require&nbsp;persistent&nbsp;remote&nbsp;access&nbsp;tools&nbsp;to&nbsp;be&nbsp;dep</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">loyed&nbsp;on&nbsp;the&nbsp;system.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1026: Privileged Account Management",
@@ -4225,7 +4225,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-09 16:19:01.408000+00:00\", \"old_value\": \"2023-04-12 20:13:07.604000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.  \\n\\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \\n\\nInside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)  \\n\\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\\n* `ExecReload` directive executes when a service restarts. \\n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.  \\n\\nAdversaries have created new service files, altered the commands a `.service` file\\u2019s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) \", \"old_value\": \"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.  \\n\\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) \\n\\nService unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service)  \\n\\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.\\n* `ExecReload` directive covers when a service restarts. \\n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped.  \\n\\nAdversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.\\n\\nThe `.service` file\\u2019s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) \", \"diff\": \"--- \\n+++ \\n@@ -1,13 +1,11 @@\\n Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.  \\n \\n-Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) \\n+Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \\n \\n-Service unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service)  \\n+Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)  \\n \\n-* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.\\n-* `ExecReload` directive covers when a service restarts. \\n-* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped.  \\n+* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\\n+* `ExecReload` directive executes when a service restarts. \\n+* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.  \\n \\n-Adversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.\\n-\\n-The `.service` file\\u2019s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) \\n+Adversaries have created new service files, altered the commands a `.service` file\\u2019s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"airwalk backdoor unix systems\", \"description\": \"airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.\", \"url\": \"http://www.ouah.org/backdoors.html\"}, \"root['x_mitre_contributors'][2]\": \"Tim (Wadhwa-)Brown\"}}",
                     "previous_version": "1.3",
                     "version_change": "1.3 \u2192 1.4",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to16__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to16__0\"><a href=\"#difflib_chg_to16__top\">t</a></td><td class=\"diff_header\" id=\"from16_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;create&nbsp;or&nbsp;modify&nbsp;systemd&nbsp;services&nbsp;to&nbsp;repeate</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to16__top\">t</a></td><td class=\"diff_header\" id=\"to16_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;create&nbsp;or&nbsp;modify&nbsp;systemd&nbsp;services&nbsp;to&nbsp;repeate</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dly&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;as&nbsp;part&nbsp;of&nbsp;persistence.&nbsp;Syste</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dly&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;as&nbsp;part&nbsp;of&nbsp;persistence.&nbsp;Syste</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">md&nbsp;is&nbsp;a&nbsp;system&nbsp;and&nbsp;service&nbsp;manager&nbsp;commonly&nbsp;used&nbsp;for&nbsp;managin</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">md&nbsp;is&nbsp;a&nbsp;system&nbsp;and&nbsp;service&nbsp;manager&nbsp;commonly&nbsp;used&nbsp;for&nbsp;managin</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">g&nbsp;background&nbsp;daemon&nbsp;processes&nbsp;(also&nbsp;known&nbsp;as&nbsp;services)&nbsp;and&nbsp;o</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g&nbsp;background&nbsp;daemon&nbsp;processes&nbsp;(also&nbsp;known&nbsp;as&nbsp;services)&nbsp;and&nbsp;o</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ther&nbsp;system&nbsp;resources.(Citation:&nbsp;Linux&nbsp;man-pages:&nbsp;systemd&nbsp;Ja</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ther&nbsp;system&nbsp;resources.(Citation:&nbsp;Linux&nbsp;man-pages:&nbsp;systemd&nbsp;Ja</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nuary&nbsp;2014)&nbsp;Systemd&nbsp;is&nbsp;the&nbsp;default&nbsp;initialization&nbsp;(init)&nbsp;sys</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nuary&nbsp;2014)&nbsp;Systemd&nbsp;is&nbsp;the&nbsp;default&nbsp;initialization&nbsp;(init)&nbsp;sys</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tem&nbsp;on&nbsp;many&nbsp;Linux&nbsp;distributions&nbsp;replacing&nbsp;legacy&nbsp;init&nbsp;system</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tem&nbsp;on&nbsp;many&nbsp;Linux&nbsp;distributions&nbsp;replacing&nbsp;legacy&nbsp;init&nbsp;system</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s,&nbsp;including&nbsp;SysVinit&nbsp;and&nbsp;Upstart,&nbsp;while&nbsp;remaining&nbsp;backwards</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s,&nbsp;including&nbsp;SysVinit&nbsp;and&nbsp;Upstart,&nbsp;while&nbsp;remaining&nbsp;backwards</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;compatible.&nbsp;&nbsp;&nbsp;&nbsp;Systemd&nbsp;utilizes&nbsp;unit&nbsp;configuration&nbsp;files&nbsp;wi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;compatible.&nbsp;&nbsp;&nbsp;&nbsp;Systemd&nbsp;utilizes&nbsp;unit&nbsp;configuration&nbsp;files&nbsp;wi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">th&nbsp;the&nbsp;`.service`&nbsp;file&nbsp;extension&nbsp;to&nbsp;encode&nbsp;information&nbsp;about</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">th&nbsp;the&nbsp;`.service`&nbsp;file&nbsp;extension&nbsp;to&nbsp;encode&nbsp;information&nbsp;about</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;service's&nbsp;process.&nbsp;By&nbsp;default,&nbsp;system&nbsp;level&nbsp;unit&nbsp;files&nbsp;ar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;a&nbsp;service's&nbsp;process.&nbsp;By&nbsp;default,&nbsp;system&nbsp;level&nbsp;unit&nbsp;files&nbsp;ar</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;stored&nbsp;in&nbsp;the&nbsp;`/systemd/system`&nbsp;directory&nbsp;of&nbsp;the&nbsp;root&nbsp;owne</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;stored&nbsp;in&nbsp;the&nbsp;`/systemd/system`&nbsp;directory&nbsp;of&nbsp;the&nbsp;root&nbsp;owne</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;directories&nbsp;(`/`).&nbsp;User&nbsp;level&nbsp;unit&nbsp;files&nbsp;are&nbsp;stored&nbsp;in&nbsp;the</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;directories&nbsp;(`/`).&nbsp;User&nbsp;level&nbsp;unit&nbsp;files&nbsp;are&nbsp;stored&nbsp;in&nbsp;the</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;`/systemd/user`&nbsp;directories&nbsp;of&nbsp;the&nbsp;user&nbsp;owned&nbsp;directories&nbsp;(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;`/systemd/user`&nbsp;directories&nbsp;of&nbsp;the&nbsp;user&nbsp;owned&nbsp;directories&nbsp;(</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">`$HOME`).&nbsp;(Citation:&nbsp;lambert&nbsp;systemd&nbsp;2022)&nbsp;&nbsp;&nbsp;Service&nbsp;unit&nbsp;fi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">`$HOME`).(Citation:&nbsp;lambert&nbsp;systemd&nbsp;2022)&nbsp;&nbsp;&nbsp;Inside&nbsp;the&nbsp;`.ser</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">les&nbsp;use&nbsp;the&nbsp;following&nbsp;directives&nbsp;to&nbsp;execute&nbsp;system&nbsp;commands:</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">vice`&nbsp;unit&nbsp;files,&nbsp;the&nbsp;following&nbsp;directives&nbsp;are&nbsp;used&nbsp;to&nbsp;execu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(Citation:&nbsp;freedesktop&nbsp;systemd.service)&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;`ExecStart`,&nbsp;`E</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">te&nbsp;commands:(Citation:&nbsp;freedesktop&nbsp;systemd.service)&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;`Ex</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">xecStartPre`,&nbsp;and&nbsp;`ExecStartPost`&nbsp;directives&nbsp;cover&nbsp;execution</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ecStart`,&nbsp;`ExecStartPre`,&nbsp;and&nbsp;`ExecStartPost`&nbsp;directives&nbsp;exe</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;of&nbsp;commands&nbsp;when&nbsp;a&nbsp;service&nbsp;is&nbsp;started&nbsp;manually&nbsp;by&nbsp;`systemct</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cute&nbsp;when&nbsp;a&nbsp;service&nbsp;is&nbsp;started&nbsp;manually&nbsp;by&nbsp;`systemctl`&nbsp;or&nbsp;on</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">l`,&nbsp;or&nbsp;on&nbsp;system&nbsp;start&nbsp;if&nbsp;the&nbsp;service&nbsp;is&nbsp;set&nbsp;to&nbsp;automaticall</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;system&nbsp;start&nbsp;if&nbsp;the&nbsp;service&nbsp;is&nbsp;set&nbsp;to&nbsp;automatically&nbsp;start.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;start.&nbsp;*&nbsp;`ExecReload`&nbsp;directive&nbsp;covers&nbsp;when&nbsp;a&nbsp;service&nbsp;rest</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">*&nbsp;`ExecReload`&nbsp;directive&nbsp;executes&nbsp;when&nbsp;a&nbsp;service&nbsp;restarts.&nbsp;&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">arts.&nbsp;&nbsp;*&nbsp;`ExecStop`,&nbsp;`ExecStopPre`,&nbsp;and&nbsp;`ExecStopPost`&nbsp;direc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">*&nbsp;`ExecStop`,&nbsp;`ExecStopPre`,&nbsp;and&nbsp;`ExecStopPost`&nbsp;directives&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tives&nbsp;cover&nbsp;when&nbsp;a&nbsp;service&nbsp;is&nbsp;stopped.&nbsp;&nbsp;&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;ab</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xecute&nbsp;when&nbsp;a&nbsp;service&nbsp;is&nbsp;stopped.&nbsp;&nbsp;&nbsp;&nbsp;Adversaries&nbsp;have&nbsp;create</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">use&nbsp;systemd&nbsp;functionality&nbsp;to&nbsp;establish&nbsp;persistent&nbsp;access&nbsp;to&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;new&nbsp;service&nbsp;files,&nbsp;altered&nbsp;the&nbsp;commands&nbsp;a&nbsp;`.service`&nbsp;file\u2019</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">victim&nbsp;systems&nbsp;by&nbsp;creating&nbsp;and/or&nbsp;modifying&nbsp;service&nbsp;unit&nbsp;fil</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;directive&nbsp;executes,&nbsp;and&nbsp;modified&nbsp;the&nbsp;user&nbsp;directive&nbsp;a&nbsp;`.se</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;systemd&nbsp;uses&nbsp;upon&nbsp;reboot&nbsp;or&nbsp;starting&nbsp;a&nbsp;service.(Citation:</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rvice`&nbsp;file&nbsp;executes&nbsp;as,&nbsp;which&nbsp;could&nbsp;result&nbsp;in&nbsp;privilege&nbsp;esc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Anomali&nbsp;Rocke&nbsp;March&nbsp;2019)&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;place&nbsp;symbol</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">alation.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;place&nbsp;symbolic&nbsp;links&nbsp;in&nbsp;these&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ic&nbsp;links&nbsp;in&nbsp;these&nbsp;directories,&nbsp;enabling&nbsp;systemd&nbsp;to&nbsp;find&nbsp;thes</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">directories,&nbsp;enabling&nbsp;systemd&nbsp;to&nbsp;find&nbsp;these&nbsp;payloads&nbsp;regardl</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;payloads&nbsp;regardless&nbsp;of&nbsp;where&nbsp;they&nbsp;reside&nbsp;on&nbsp;the&nbsp;filesystem</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ess&nbsp;of&nbsp;where&nbsp;they&nbsp;reside&nbsp;on&nbsp;the&nbsp;filesystem.(Citation:&nbsp;Anomal</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.&nbsp;&nbsp;The&nbsp;`.service`&nbsp;file\u2019s&nbsp;`User`&nbsp;directive&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;run</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">i&nbsp;Rocke&nbsp;March&nbsp;2019)(Citation:&nbsp;airwalk&nbsp;backdoor&nbsp;unix&nbsp;systems)</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;service&nbsp;as&nbsp;a&nbsp;specific&nbsp;user,&nbsp;which&nbsp;could&nbsp;result&nbsp;in&nbsp;privilege</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(Citation:&nbsp;Rapid7&nbsp;Service&nbsp;Persistence&nbsp;22JUNE2016)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;escalation&nbsp;based&nbsp;on&nbsp;specific&nbsp;user/group&nbsp;permissions.(Citati</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on:&nbsp;Rapid7&nbsp;Service&nbsp;Persistence&nbsp;22JUNE2016)&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to15__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to15__0\"><a href=\"#difflib_chg_to15__top\">t</a></td><td class=\"diff_header\" id=\"from15_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;create&nbsp;or&nbsp;modify&nbsp;systemd&nbsp;services&nbsp;to&nbsp;repeate</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to15__top\">t</a></td><td class=\"diff_header\" id=\"to15_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;create&nbsp;or&nbsp;modify&nbsp;systemd&nbsp;services&nbsp;to&nbsp;repeate</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">dly&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;as&nbsp;part&nbsp;of&nbsp;persistence.&nbsp;Syste</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dly&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;as&nbsp;part&nbsp;of&nbsp;persistence.&nbsp;Syste</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">md&nbsp;is&nbsp;a&nbsp;system&nbsp;and&nbsp;service&nbsp;manager&nbsp;commonly&nbsp;used&nbsp;for&nbsp;managin</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">md&nbsp;is&nbsp;a&nbsp;system&nbsp;and&nbsp;service&nbsp;manager&nbsp;commonly&nbsp;used&nbsp;for&nbsp;managin</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">g&nbsp;background&nbsp;daemon&nbsp;processes&nbsp;(also&nbsp;known&nbsp;as&nbsp;services)&nbsp;and&nbsp;o</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g&nbsp;background&nbsp;daemon&nbsp;processes&nbsp;(also&nbsp;known&nbsp;as&nbsp;services)&nbsp;and&nbsp;o</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ther&nbsp;system&nbsp;resources.(Citation:&nbsp;Linux&nbsp;man-pages:&nbsp;systemd&nbsp;Ja</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ther&nbsp;system&nbsp;resources.(Citation:&nbsp;Linux&nbsp;man-pages:&nbsp;systemd&nbsp;Ja</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nuary&nbsp;2014)&nbsp;Systemd&nbsp;is&nbsp;the&nbsp;default&nbsp;initialization&nbsp;(init)&nbsp;sys</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nuary&nbsp;2014)&nbsp;Systemd&nbsp;is&nbsp;the&nbsp;default&nbsp;initialization&nbsp;(init)&nbsp;sys</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tem&nbsp;on&nbsp;many&nbsp;Linux&nbsp;distributions&nbsp;replacing&nbsp;legacy&nbsp;init&nbsp;system</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tem&nbsp;on&nbsp;many&nbsp;Linux&nbsp;distributions&nbsp;replacing&nbsp;legacy&nbsp;init&nbsp;system</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s,&nbsp;including&nbsp;SysVinit&nbsp;and&nbsp;Upstart,&nbsp;while&nbsp;remaining&nbsp;backwards</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s,&nbsp;including&nbsp;SysVinit&nbsp;and&nbsp;Upstart,&nbsp;while&nbsp;remaining&nbsp;backwards</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;compatible.&nbsp;&nbsp;&nbsp;&nbsp;Systemd&nbsp;utilizes&nbsp;unit&nbsp;configuration&nbsp;files&nbsp;wi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;compatible.&nbsp;&nbsp;&nbsp;&nbsp;Systemd&nbsp;utilizes&nbsp;unit&nbsp;configuration&nbsp;files&nbsp;wi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">th&nbsp;the&nbsp;`.service`&nbsp;file&nbsp;extension&nbsp;to&nbsp;encode&nbsp;information&nbsp;about</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">th&nbsp;the&nbsp;`.service`&nbsp;file&nbsp;extension&nbsp;to&nbsp;encode&nbsp;information&nbsp;about</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;service's&nbsp;process.&nbsp;By&nbsp;default,&nbsp;system&nbsp;level&nbsp;unit&nbsp;files&nbsp;ar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;a&nbsp;service's&nbsp;process.&nbsp;By&nbsp;default,&nbsp;system&nbsp;level&nbsp;unit&nbsp;files&nbsp;ar</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;stored&nbsp;in&nbsp;the&nbsp;`/systemd/system`&nbsp;directory&nbsp;of&nbsp;the&nbsp;root&nbsp;owne</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;stored&nbsp;in&nbsp;the&nbsp;`/systemd/system`&nbsp;directory&nbsp;of&nbsp;the&nbsp;root&nbsp;owne</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;directories&nbsp;(`/`).&nbsp;User&nbsp;level&nbsp;unit&nbsp;files&nbsp;are&nbsp;stored&nbsp;in&nbsp;the</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;directories&nbsp;(`/`).&nbsp;User&nbsp;level&nbsp;unit&nbsp;files&nbsp;are&nbsp;stored&nbsp;in&nbsp;the</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;`/systemd/user`&nbsp;directories&nbsp;of&nbsp;the&nbsp;user&nbsp;owned&nbsp;directories&nbsp;(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;`/systemd/user`&nbsp;directories&nbsp;of&nbsp;the&nbsp;user&nbsp;owned&nbsp;directories&nbsp;(</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">`$HOME`).&nbsp;(Citation:&nbsp;lambert&nbsp;systemd&nbsp;2022)&nbsp;&nbsp;&nbsp;Service&nbsp;unit&nbsp;fi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">`$HOME`).(Citation:&nbsp;lambert&nbsp;systemd&nbsp;2022)&nbsp;&nbsp;&nbsp;Inside&nbsp;the&nbsp;`.ser</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">les&nbsp;use&nbsp;the&nbsp;following&nbsp;directives&nbsp;to&nbsp;execute&nbsp;system&nbsp;commands:</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">vice`&nbsp;unit&nbsp;files,&nbsp;the&nbsp;following&nbsp;directives&nbsp;are&nbsp;used&nbsp;to&nbsp;execu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(Citation:&nbsp;freedesktop&nbsp;systemd.service)&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;`ExecStart`,&nbsp;`E</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">te&nbsp;commands:(Citation:&nbsp;freedesktop&nbsp;systemd.service)&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;`Ex</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">xecStartPre`,&nbsp;and&nbsp;`ExecStartPost`&nbsp;directives&nbsp;cover&nbsp;execution</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ecStart`,&nbsp;`ExecStartPre`,&nbsp;and&nbsp;`ExecStartPost`&nbsp;directives&nbsp;exe</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;of&nbsp;commands&nbsp;when&nbsp;a&nbsp;service&nbsp;is&nbsp;started&nbsp;manually&nbsp;by&nbsp;`systemct</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cute&nbsp;when&nbsp;a&nbsp;service&nbsp;is&nbsp;started&nbsp;manually&nbsp;by&nbsp;`systemctl`&nbsp;or&nbsp;on</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">l`,&nbsp;or&nbsp;on&nbsp;system&nbsp;start&nbsp;if&nbsp;the&nbsp;service&nbsp;is&nbsp;set&nbsp;to&nbsp;automaticall</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;system&nbsp;start&nbsp;if&nbsp;the&nbsp;service&nbsp;is&nbsp;set&nbsp;to&nbsp;automatically&nbsp;start.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;start.&nbsp;*&nbsp;`ExecReload`&nbsp;directive&nbsp;covers&nbsp;when&nbsp;a&nbsp;service&nbsp;rest</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">*&nbsp;`ExecReload`&nbsp;directive&nbsp;executes&nbsp;when&nbsp;a&nbsp;service&nbsp;restarts.&nbsp;&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">arts.&nbsp;&nbsp;*&nbsp;`ExecStop`,&nbsp;`ExecStopPre`,&nbsp;and&nbsp;`ExecStopPost`&nbsp;direc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">*&nbsp;`ExecStop`,&nbsp;`ExecStopPre`,&nbsp;and&nbsp;`ExecStopPost`&nbsp;directives&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tives&nbsp;cover&nbsp;when&nbsp;a&nbsp;service&nbsp;is&nbsp;stopped.&nbsp;&nbsp;&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;ab</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xecute&nbsp;when&nbsp;a&nbsp;service&nbsp;is&nbsp;stopped.&nbsp;&nbsp;&nbsp;&nbsp;Adversaries&nbsp;have&nbsp;create</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">use&nbsp;systemd&nbsp;functionality&nbsp;to&nbsp;establish&nbsp;persistent&nbsp;access&nbsp;to&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;new&nbsp;service&nbsp;files,&nbsp;altered&nbsp;the&nbsp;commands&nbsp;a&nbsp;`.service`&nbsp;file\u2019</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">victim&nbsp;systems&nbsp;by&nbsp;creating&nbsp;and/or&nbsp;modifying&nbsp;service&nbsp;unit&nbsp;fil</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;directive&nbsp;executes,&nbsp;and&nbsp;modified&nbsp;the&nbsp;user&nbsp;directive&nbsp;a&nbsp;`.se</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;systemd&nbsp;uses&nbsp;upon&nbsp;reboot&nbsp;or&nbsp;starting&nbsp;a&nbsp;service.(Citation:</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rvice`&nbsp;file&nbsp;executes&nbsp;as,&nbsp;which&nbsp;could&nbsp;result&nbsp;in&nbsp;privilege&nbsp;esc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Anomali&nbsp;Rocke&nbsp;March&nbsp;2019)&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;place&nbsp;symbol</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">alation.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;place&nbsp;symbolic&nbsp;links&nbsp;in&nbsp;these&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ic&nbsp;links&nbsp;in&nbsp;these&nbsp;directories,&nbsp;enabling&nbsp;systemd&nbsp;to&nbsp;find&nbsp;thes</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">directories,&nbsp;enabling&nbsp;systemd&nbsp;to&nbsp;find&nbsp;these&nbsp;payloads&nbsp;regardl</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;payloads&nbsp;regardless&nbsp;of&nbsp;where&nbsp;they&nbsp;reside&nbsp;on&nbsp;the&nbsp;filesystem</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ess&nbsp;of&nbsp;where&nbsp;they&nbsp;reside&nbsp;on&nbsp;the&nbsp;filesystem.(Citation:&nbsp;Anomal</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.&nbsp;&nbsp;The&nbsp;`.service`&nbsp;file\u2019s&nbsp;`User`&nbsp;directive&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;run</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">i&nbsp;Rocke&nbsp;March&nbsp;2019)(Citation:&nbsp;airwalk&nbsp;backdoor&nbsp;unix&nbsp;systems)</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;service&nbsp;as&nbsp;a&nbsp;specific&nbsp;user,&nbsp;which&nbsp;could&nbsp;result&nbsp;in&nbsp;privilege</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(Citation:&nbsp;Rapid7&nbsp;Service&nbsp;Persistence&nbsp;22JUNE2016)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;escalation&nbsp;based&nbsp;on&nbsp;specific&nbsp;user/group&nbsp;permissions.(Citati</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on:&nbsp;Rapid7&nbsp;Service&nbsp;Persistence&nbsp;22JUNE2016)&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -4436,7 +4436,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-30 20:16:41.759000+00:00\", \"old_value\": \"2022-04-01 18:25:13.952000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\", \"old_value\": \"Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][3]\": \"Cloud Service: Cloud Service Enumeration\", \"root['x_mitre_platforms'][3]\": \"IaaS\"}}",
                     "previous_version": "1.0",
                     "version_change": "1.0 \u2192 1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to36__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to36__0\"><a href=\"#difflib_chg_to36__top\">t</a></td><td class=\"diff_header\" id=\"from36_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;search&nbsp;for&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations</td><td class=\"diff_next\"><a href=\"#difflib_chg_to36__top\">t</a></td><td class=\"diff_header\" id=\"to36_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;search&nbsp;for&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;are&nbsp;stored&nbsp;in&nbsp;several</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;are&nbsp;stored&nbsp;in&nbsp;several</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;places&nbsp;on&nbsp;a&nbsp;system,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;ap</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;places&nbsp;on&nbsp;a&nbsp;system,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;ap</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">pplications&nbsp;<span class=\"diff_chg\">that&nbsp;store</span>&nbsp;passwords&nbsp;to&nbsp;make&nbsp;<span class=\"diff_chg\">it&nbsp;easier</span>&nbsp;for&nbsp;users</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">pplications&nbsp;<span class=\"diff_chg\">and&nbsp;services&nbsp;that&nbsp;store</span>&nbsp;passwords&nbsp;to&nbsp;make&nbsp;<span class=\"diff_chg\">them&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;manage&nbsp;and&nbsp;maintain.&nbsp;Once&nbsp;credentials&nbsp;are&nbsp;obtained,&nbsp;they&nbsp;ca</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">asier</span>&nbsp;for&nbsp;users&nbsp;<span class=\"diff_add\">to&nbsp;</span>manage&nbsp;and&nbsp;maintain<span class=\"diff_add\">,&nbsp;such&nbsp;as&nbsp;password&nbsp;man</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;be&nbsp;used&nbsp;to&nbsp;perform&nbsp;lateral&nbsp;movement&nbsp;and&nbsp;access&nbsp;restricted&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">agers&nbsp;and&nbsp;cloud&nbsp;secrets&nbsp;vaults</span>.&nbsp;Once&nbsp;credentials&nbsp;are&nbsp;obtaine</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">information.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d,&nbsp;they&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;perform&nbsp;lateral&nbsp;movement&nbsp;and&nbsp;access&nbsp;r</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">estricted&nbsp;information.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to16__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to16__0\"><a href=\"#difflib_chg_to16__top\">t</a></td><td class=\"diff_header\" id=\"from16_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;search&nbsp;for&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations</td><td class=\"diff_next\"><a href=\"#difflib_chg_to16__top\">t</a></td><td class=\"diff_header\" id=\"to16_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;search&nbsp;for&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;are&nbsp;stored&nbsp;in&nbsp;several</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;are&nbsp;stored&nbsp;in&nbsp;several</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;places&nbsp;on&nbsp;a&nbsp;system,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;ap</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;places&nbsp;on&nbsp;a&nbsp;system,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;ap</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">pplications&nbsp;<span class=\"diff_chg\">that&nbsp;store</span>&nbsp;passwords&nbsp;to&nbsp;make&nbsp;<span class=\"diff_chg\">it&nbsp;easier</span>&nbsp;for&nbsp;users</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">pplications&nbsp;<span class=\"diff_chg\">and&nbsp;services&nbsp;that&nbsp;store</span>&nbsp;passwords&nbsp;to&nbsp;make&nbsp;<span class=\"diff_chg\">them&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;manage&nbsp;and&nbsp;maintain.&nbsp;Once&nbsp;credentials&nbsp;are&nbsp;obtained,&nbsp;they&nbsp;ca</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">asier</span>&nbsp;for&nbsp;users&nbsp;<span class=\"diff_add\">to&nbsp;</span>manage&nbsp;and&nbsp;maintain<span class=\"diff_add\">,&nbsp;such&nbsp;as&nbsp;password&nbsp;man</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;be&nbsp;used&nbsp;to&nbsp;perform&nbsp;lateral&nbsp;movement&nbsp;and&nbsp;access&nbsp;restricted&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">agers&nbsp;and&nbsp;cloud&nbsp;secrets&nbsp;vaults</span>.&nbsp;Once&nbsp;credentials&nbsp;are&nbsp;obtaine</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">information.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d,&nbsp;they&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;perform&nbsp;lateral&nbsp;movement&nbsp;and&nbsp;access&nbsp;r</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">estricted&nbsp;information.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1027: Password Policies"
@@ -4676,7 +4676,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-29 16:11:43.530000+00:00\", \"old_value\": \"2022-10-18 19:10:42.621000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may access data from cloud storage.\\n\\nMany IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \\n\\nIn some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). \\n\\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\\n\\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\\n\\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.\", \"old_value\": \"Adversaries may access data from improperly secured cloud storage.\\n\\nMany cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. \\n\\nIn other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011)\\n\\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\\n\\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\\n\\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.\", \"diff\": \"--- \\n+++ \\n@@ -1,8 +1,8 @@\\n-Adversaries may access data from improperly secured cloud storage.\\n+Adversaries may access data from cloud storage.\\n \\n-Many cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. \\n+Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \\n \\n-In other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011)\\n+In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). \\n \\n Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][2]\": \"Google Workspace\", \"root['x_mitre_platforms'][3]\": \"Office 365\"}, \"iterable_item_removed\": {\"root['external_references'][1]\": {\"source_name\": \"SecureWorld - How Secure Is Your Slack Channel - Dec 2021\", \"description\": \" Drew Todd. (2021, December 28). How Secure Is Your Slack Channel?. Retrieved May 31, 2022.\", \"url\": \"https://www.secureworld.io/industry-news/how-secure-is-your-slack-channel#:~:text=Electronic%20Arts%20hacked%20through%20Slack%20channel&text=In%20total%2C%20the%20hackers%20claim,credentials%20over%20a%20Slack%20channel.\"}, \"root['external_references'][4]\": {\"source_name\": \"EA Hacked via Slack - June 2021\", \"description\": \"Anthony Spadafora. (2021, June 11). EA hack reportedly used stolen cookies and Slack to target gaming giant. Retrieved May 31, 2022.\", \"url\": \"https://www.techradar.com/news/ea-hack-reportedly-used-stolen-cookies-and-slack-to-hack-gaming-giant\"}, \"root['external_references'][7]\": {\"source_name\": \"HackerNews - 3 SaaS App Cyber Attacks - April 2022\", \"description\": \"Hananel Livneh. (2022, April 7). Into the Breach: Breaking Down 3 SaaS App Cyber Attacks in 2022. Retrieved May 31, 2022.\", \"url\": \"https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html\"}, \"root['external_references'][10]\": {\"source_name\": \"Dark Clouds_Usenix_Mulazzani_08_2011\", \"description\": \"Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl. (2011, August). Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. Retrieved July 14, 2022.\", \"url\": \"https://www.usenix.org/conference/usenix-security-11/dark-clouds-horizon-using-cloud-storage-attack-vector-and-online-slack\"}}}",
                     "previous_version": "2.0",
                     "version_change": "2.0 \u2192 2.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to0__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to0__0\"><a href=\"#difflib_chg_to0__top\">t</a></td><td class=\"diff_header\" id=\"from0_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;access&nbsp;data&nbsp;from&nbsp;improperly&nbsp;secured&nbsp;cloud&nbsp;st</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to0__top\">t</a></td><td class=\"diff_header\" id=\"to0_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;access&nbsp;data&nbsp;from&nbsp;cloud&nbsp;storage.&nbsp;&nbsp;Many&nbsp;IaaS&nbsp;p</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">orage.&nbsp;&nbsp;Many&nbsp;cloud&nbsp;service&nbsp;providers&nbsp;offer&nbsp;solutions&nbsp;for&nbsp;onl</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">roviders&nbsp;offer&nbsp;solutions&nbsp;for&nbsp;online&nbsp;data&nbsp;object&nbsp;storage&nbsp;such</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ine&nbsp;data&nbsp;object&nbsp;storage&nbsp;such&nbsp;as&nbsp;Amazon&nbsp;S3,&nbsp;Azure&nbsp;Storage,&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;as&nbsp;Amazon&nbsp;S3,&nbsp;Azure&nbsp;Storage,&nbsp;and&nbsp;Google&nbsp;Cloud&nbsp;Storage.&nbsp;Simi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;Google&nbsp;Cloud&nbsp;Storage.&nbsp;These&nbsp;solutions&nbsp;differ&nbsp;from&nbsp;other&nbsp;st</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">larly,&nbsp;SaaS&nbsp;enterprise&nbsp;platforms&nbsp;such&nbsp;as&nbsp;Office&nbsp;365&nbsp;and&nbsp;Goog</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">orage&nbsp;solutions&nbsp;(such&nbsp;as&nbsp;SQL&nbsp;or&nbsp;Elasticsearch)&nbsp;in&nbsp;that&nbsp;there</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">le&nbsp;Workspace&nbsp;provide&nbsp;cloud-based&nbsp;document&nbsp;storage&nbsp;to&nbsp;users&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;is&nbsp;no&nbsp;overarching&nbsp;application.&nbsp;Data&nbsp;from&nbsp;these&nbsp;solutions&nbsp;ca</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hrough&nbsp;services&nbsp;such&nbsp;as&nbsp;OneDrive&nbsp;and&nbsp;Google&nbsp;Drive,&nbsp;while&nbsp;Saa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n&nbsp;be&nbsp;retrieved&nbsp;directly&nbsp;using&nbsp;the&nbsp;cloud&nbsp;provider's&nbsp;APIs.&nbsp;&nbsp;&nbsp;I</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">S&nbsp;application&nbsp;providers&nbsp;such&nbsp;as&nbsp;Slack,&nbsp;Confluence,&nbsp;Salesforc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n&nbsp;other&nbsp;cases,&nbsp;SaaS&nbsp;application&nbsp;providers&nbsp;such&nbsp;as&nbsp;Slack,&nbsp;Con</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e,&nbsp;and&nbsp;Dropbox&nbsp;may&nbsp;provide&nbsp;cloud&nbsp;storage&nbsp;solutions&nbsp;as&nbsp;a&nbsp;peri</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">fluence,&nbsp;and&nbsp;Salesforce&nbsp;also&nbsp;provide&nbsp;cloud&nbsp;storage&nbsp;solutions</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">pheral&nbsp;or&nbsp;primary&nbsp;use&nbsp;case&nbsp;of&nbsp;their&nbsp;platform.&nbsp;&nbsp;&nbsp;In&nbsp;some&nbsp;case</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;as&nbsp;a&nbsp;peripheral&nbsp;use&nbsp;case&nbsp;of&nbsp;their&nbsp;platform.&nbsp;These&nbsp;cloud&nbsp;obj</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s,&nbsp;as&nbsp;with&nbsp;IaaS-based&nbsp;cloud&nbsp;storage,&nbsp;there&nbsp;exists&nbsp;no&nbsp;overarc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ects&nbsp;can&nbsp;be&nbsp;extracted&nbsp;directly&nbsp;from&nbsp;their&nbsp;associated&nbsp;applica</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hing&nbsp;application&nbsp;(such&nbsp;as&nbsp;SQL&nbsp;or&nbsp;Elasticsearch)&nbsp;with&nbsp;which&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tion.(Citation:&nbsp;EA&nbsp;Hacked&nbsp;via&nbsp;Slack&nbsp;-&nbsp;June&nbsp;2021)(Citation:&nbsp;S</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;interact&nbsp;with&nbsp;the&nbsp;stored&nbsp;objects:&nbsp;instead,&nbsp;data&nbsp;from&nbsp;these</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ecureWorld&nbsp;-&nbsp;How&nbsp;Secure&nbsp;Is&nbsp;Your&nbsp;Slack&nbsp;Channel&nbsp;-&nbsp;Dec&nbsp;2021)(Ci</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;solutions&nbsp;is&nbsp;retrieved&nbsp;directly&nbsp;though&nbsp;the&nbsp;[Cloud&nbsp;API](http</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tation:&nbsp;HackerNews&nbsp;-&nbsp;3&nbsp;SaaS&nbsp;App&nbsp;Cyber&nbsp;Attacks&nbsp;-&nbsp;April&nbsp;2022)(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s://attack.mitre.org/techniques/T1059/009).&nbsp;In&nbsp;SaaS&nbsp;applicat</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Citation:&nbsp;Dark&nbsp;Clouds_Usenix_Mulazzani_08_2011)&nbsp;&nbsp;Adversaries</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ions,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;collect&nbsp;this&nbsp;data&nbsp;directly&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;may&nbsp;collect&nbsp;sensitive&nbsp;data&nbsp;from&nbsp;these&nbsp;cloud&nbsp;storage&nbsp;solutio</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">from&nbsp;APIs&nbsp;or&nbsp;backend&nbsp;cloud&nbsp;storage&nbsp;objects,&nbsp;rather&nbsp;than&nbsp;thro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ns.&nbsp;Providers&nbsp;typically&nbsp;offer&nbsp;security&nbsp;guides&nbsp;to&nbsp;help&nbsp;end&nbsp;us</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ugh&nbsp;their&nbsp;front-end&nbsp;application&nbsp;or&nbsp;interface&nbsp;(i.e.,&nbsp;[Data&nbsp;fr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ers&nbsp;configure&nbsp;systems,&nbsp;though&nbsp;misconfigurations&nbsp;are&nbsp;a&nbsp;common</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">om&nbsp;Information&nbsp;Repositories](https://attack.mitre.org/techni</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;problem.(Citation:&nbsp;Amazon&nbsp;S3&nbsp;Security,&nbsp;2019)(Citation:&nbsp;Micr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ques/T1213)).&nbsp;&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;collect&nbsp;sensitive&nbsp;data&nbsp;from&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">osoft&nbsp;Azure&nbsp;Storage&nbsp;Security,&nbsp;2019)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;S</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">these&nbsp;cloud&nbsp;storage&nbsp;solutions.&nbsp;Providers&nbsp;typically&nbsp;offer&nbsp;sec</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">torage&nbsp;Best&nbsp;Practices,&nbsp;2019)&nbsp;There&nbsp;have&nbsp;been&nbsp;numerous&nbsp;incide</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urity&nbsp;guides&nbsp;to&nbsp;help&nbsp;end&nbsp;users&nbsp;configure&nbsp;systems,&nbsp;though&nbsp;mis</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nts&nbsp;where&nbsp;cloud&nbsp;storage&nbsp;has&nbsp;been&nbsp;improperly&nbsp;secured,&nbsp;typical</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">configurations&nbsp;are&nbsp;a&nbsp;common&nbsp;problem.(Citation:&nbsp;Amazon&nbsp;S3&nbsp;Sec</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ly&nbsp;by&nbsp;unintentionally&nbsp;allowing&nbsp;public&nbsp;access&nbsp;to&nbsp;unauthentica</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urity,&nbsp;2019)(Citation:&nbsp;Microsoft&nbsp;Azure&nbsp;Storage&nbsp;Security,&nbsp;201</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ted&nbsp;users,&nbsp;overly-broad&nbsp;access&nbsp;by&nbsp;all&nbsp;users,&nbsp;or&nbsp;even&nbsp;access&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">9)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;Storage&nbsp;Best&nbsp;Practices,&nbsp;2019)&nbsp;Ther</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">for&nbsp;any&nbsp;anonymous&nbsp;person&nbsp;outside&nbsp;the&nbsp;control&nbsp;of&nbsp;the&nbsp;Identity</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;have&nbsp;been&nbsp;numerous&nbsp;incidents&nbsp;where&nbsp;cloud&nbsp;storage&nbsp;has&nbsp;been&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Access&nbsp;Management&nbsp;system&nbsp;without&nbsp;even&nbsp;needing&nbsp;basic&nbsp;user&nbsp;pe</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">improperly&nbsp;secured,&nbsp;typically&nbsp;by&nbsp;unintentionally&nbsp;allowing&nbsp;pu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rmissions.&nbsp;&nbsp;This&nbsp;open&nbsp;access&nbsp;may&nbsp;expose&nbsp;various&nbsp;types&nbsp;of&nbsp;sen</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">blic&nbsp;access&nbsp;to&nbsp;unauthenticated&nbsp;users,&nbsp;overly-broad&nbsp;access&nbsp;by</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">sitive&nbsp;data,&nbsp;such&nbsp;as&nbsp;credit&nbsp;cards,&nbsp;personally&nbsp;identifiable&nbsp;i</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;all&nbsp;users,&nbsp;or&nbsp;even&nbsp;access&nbsp;for&nbsp;any&nbsp;anonymous&nbsp;person&nbsp;outside&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nformation,&nbsp;or&nbsp;medical&nbsp;records.(Citation:&nbsp;Trend&nbsp;Micro&nbsp;S3&nbsp;Exp</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">the&nbsp;control&nbsp;of&nbsp;the&nbsp;Identity&nbsp;Access&nbsp;Management&nbsp;system&nbsp;without</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">osed&nbsp;PII,&nbsp;2017)(Citation:&nbsp;Wired&nbsp;Magecart&nbsp;S3&nbsp;Buckets,&nbsp;2019)(C</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;even&nbsp;needing&nbsp;basic&nbsp;user&nbsp;permissions.&nbsp;&nbsp;This&nbsp;open&nbsp;access&nbsp;may&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">itation:&nbsp;HIPAA&nbsp;Journal&nbsp;S3&nbsp;Breach,&nbsp;2017)(Citation:&nbsp;Rclone-meg</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">expose&nbsp;various&nbsp;types&nbsp;of&nbsp;sensitive&nbsp;data,&nbsp;such&nbsp;as&nbsp;credit&nbsp;cards</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">a-extortion_05_2021)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;obtain&nbsp;then&nbsp;abuse</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">,&nbsp;personally&nbsp;identifiable&nbsp;information,&nbsp;or&nbsp;medical&nbsp;records.(C</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;leaked&nbsp;credentials&nbsp;from&nbsp;source&nbsp;repositories,&nbsp;logs,&nbsp;or&nbsp;other</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">itation:&nbsp;Trend&nbsp;Micro&nbsp;S3&nbsp;Exposed&nbsp;PII,&nbsp;2017)(Citation:&nbsp;Wired&nbsp;M</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;means&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;cloud&nbsp;storage&nbsp;objects.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">agecart&nbsp;S3&nbsp;Buckets,&nbsp;2019)(Citation:&nbsp;HIPAA&nbsp;Journal&nbsp;S3&nbsp;Breach,</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;2017)(Citation:&nbsp;Rclone-mega-extortion_05_2021)&nbsp;&nbsp;Adversaries</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;may&nbsp;also&nbsp;obtain&nbsp;then&nbsp;abuse&nbsp;leaked&nbsp;credentials&nbsp;from&nbsp;source&nbsp;r</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">epositories,&nbsp;logs,&nbsp;or&nbsp;other&nbsp;means&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;gain&nbsp;access&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;cloud&nbsp;storage&nbsp;objects.</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to14__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to14__0\"><a href=\"#difflib_chg_to14__top\">t</a></td><td class=\"diff_header\" id=\"from14_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;access&nbsp;data&nbsp;from&nbsp;improperly&nbsp;secured&nbsp;cloud&nbsp;st</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to14__top\">t</a></td><td class=\"diff_header\" id=\"to14_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;access&nbsp;data&nbsp;from&nbsp;cloud&nbsp;storage.&nbsp;&nbsp;Many&nbsp;IaaS&nbsp;p</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">orage.&nbsp;&nbsp;Many&nbsp;cloud&nbsp;service&nbsp;providers&nbsp;offer&nbsp;solutions&nbsp;for&nbsp;onl</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">roviders&nbsp;offer&nbsp;solutions&nbsp;for&nbsp;online&nbsp;data&nbsp;object&nbsp;storage&nbsp;such</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ine&nbsp;data&nbsp;object&nbsp;storage&nbsp;such&nbsp;as&nbsp;Amazon&nbsp;S3,&nbsp;Azure&nbsp;Storage,&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;as&nbsp;Amazon&nbsp;S3,&nbsp;Azure&nbsp;Storage,&nbsp;and&nbsp;Google&nbsp;Cloud&nbsp;Storage.&nbsp;Simi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;Google&nbsp;Cloud&nbsp;Storage.&nbsp;These&nbsp;solutions&nbsp;differ&nbsp;from&nbsp;other&nbsp;st</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">larly,&nbsp;SaaS&nbsp;enterprise&nbsp;platforms&nbsp;such&nbsp;as&nbsp;Office&nbsp;365&nbsp;and&nbsp;Goog</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">orage&nbsp;solutions&nbsp;(such&nbsp;as&nbsp;SQL&nbsp;or&nbsp;Elasticsearch)&nbsp;in&nbsp;that&nbsp;there</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">le&nbsp;Workspace&nbsp;provide&nbsp;cloud-based&nbsp;document&nbsp;storage&nbsp;to&nbsp;users&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;is&nbsp;no&nbsp;overarching&nbsp;application.&nbsp;Data&nbsp;from&nbsp;these&nbsp;solutions&nbsp;ca</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hrough&nbsp;services&nbsp;such&nbsp;as&nbsp;OneDrive&nbsp;and&nbsp;Google&nbsp;Drive,&nbsp;while&nbsp;Saa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n&nbsp;be&nbsp;retrieved&nbsp;directly&nbsp;using&nbsp;the&nbsp;cloud&nbsp;provider's&nbsp;APIs.&nbsp;&nbsp;&nbsp;I</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">S&nbsp;application&nbsp;providers&nbsp;such&nbsp;as&nbsp;Slack,&nbsp;Confluence,&nbsp;Salesforc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n&nbsp;other&nbsp;cases,&nbsp;SaaS&nbsp;application&nbsp;providers&nbsp;such&nbsp;as&nbsp;Slack,&nbsp;Con</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e,&nbsp;and&nbsp;Dropbox&nbsp;may&nbsp;provide&nbsp;cloud&nbsp;storage&nbsp;solutions&nbsp;as&nbsp;a&nbsp;peri</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">fluence,&nbsp;and&nbsp;Salesforce&nbsp;also&nbsp;provide&nbsp;cloud&nbsp;storage&nbsp;solutions</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">pheral&nbsp;or&nbsp;primary&nbsp;use&nbsp;case&nbsp;of&nbsp;their&nbsp;platform.&nbsp;&nbsp;&nbsp;In&nbsp;some&nbsp;case</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;as&nbsp;a&nbsp;peripheral&nbsp;use&nbsp;case&nbsp;of&nbsp;their&nbsp;platform.&nbsp;These&nbsp;cloud&nbsp;obj</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s,&nbsp;as&nbsp;with&nbsp;IaaS-based&nbsp;cloud&nbsp;storage,&nbsp;there&nbsp;exists&nbsp;no&nbsp;overarc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ects&nbsp;can&nbsp;be&nbsp;extracted&nbsp;directly&nbsp;from&nbsp;their&nbsp;associated&nbsp;applica</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hing&nbsp;application&nbsp;(such&nbsp;as&nbsp;SQL&nbsp;or&nbsp;Elasticsearch)&nbsp;with&nbsp;which&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tion.(Citation:&nbsp;EA&nbsp;Hacked&nbsp;via&nbsp;Slack&nbsp;-&nbsp;June&nbsp;2021)(Citation:&nbsp;S</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;interact&nbsp;with&nbsp;the&nbsp;stored&nbsp;objects:&nbsp;instead,&nbsp;data&nbsp;from&nbsp;these</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ecureWorld&nbsp;-&nbsp;How&nbsp;Secure&nbsp;Is&nbsp;Your&nbsp;Slack&nbsp;Channel&nbsp;-&nbsp;Dec&nbsp;2021)(Ci</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;solutions&nbsp;is&nbsp;retrieved&nbsp;directly&nbsp;though&nbsp;the&nbsp;[Cloud&nbsp;API](http</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tation:&nbsp;HackerNews&nbsp;-&nbsp;3&nbsp;SaaS&nbsp;App&nbsp;Cyber&nbsp;Attacks&nbsp;-&nbsp;April&nbsp;2022)(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s://attack.mitre.org/techniques/T1059/009).&nbsp;In&nbsp;SaaS&nbsp;applicat</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Citation:&nbsp;Dark&nbsp;Clouds_Usenix_Mulazzani_08_2011)&nbsp;&nbsp;Adversaries</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ions,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;collect&nbsp;this&nbsp;data&nbsp;directly&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;may&nbsp;collect&nbsp;sensitive&nbsp;data&nbsp;from&nbsp;these&nbsp;cloud&nbsp;storage&nbsp;solutio</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">from&nbsp;APIs&nbsp;or&nbsp;backend&nbsp;cloud&nbsp;storage&nbsp;objects,&nbsp;rather&nbsp;than&nbsp;thro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ns.&nbsp;Providers&nbsp;typically&nbsp;offer&nbsp;security&nbsp;guides&nbsp;to&nbsp;help&nbsp;end&nbsp;us</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ugh&nbsp;their&nbsp;front-end&nbsp;application&nbsp;or&nbsp;interface&nbsp;(i.e.,&nbsp;[Data&nbsp;fr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ers&nbsp;configure&nbsp;systems,&nbsp;though&nbsp;misconfigurations&nbsp;are&nbsp;a&nbsp;common</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">om&nbsp;Information&nbsp;Repositories](https://attack.mitre.org/techni</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;problem.(Citation:&nbsp;Amazon&nbsp;S3&nbsp;Security,&nbsp;2019)(Citation:&nbsp;Micr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ques/T1213)).&nbsp;&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;collect&nbsp;sensitive&nbsp;data&nbsp;from&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">osoft&nbsp;Azure&nbsp;Storage&nbsp;Security,&nbsp;2019)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;S</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">these&nbsp;cloud&nbsp;storage&nbsp;solutions.&nbsp;Providers&nbsp;typically&nbsp;offer&nbsp;sec</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">torage&nbsp;Best&nbsp;Practices,&nbsp;2019)&nbsp;There&nbsp;have&nbsp;been&nbsp;numerous&nbsp;incide</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urity&nbsp;guides&nbsp;to&nbsp;help&nbsp;end&nbsp;users&nbsp;configure&nbsp;systems,&nbsp;though&nbsp;mis</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nts&nbsp;where&nbsp;cloud&nbsp;storage&nbsp;has&nbsp;been&nbsp;improperly&nbsp;secured,&nbsp;typical</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">configurations&nbsp;are&nbsp;a&nbsp;common&nbsp;problem.(Citation:&nbsp;Amazon&nbsp;S3&nbsp;Sec</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ly&nbsp;by&nbsp;unintentionally&nbsp;allowing&nbsp;public&nbsp;access&nbsp;to&nbsp;unauthentica</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urity,&nbsp;2019)(Citation:&nbsp;Microsoft&nbsp;Azure&nbsp;Storage&nbsp;Security,&nbsp;201</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ted&nbsp;users,&nbsp;overly-broad&nbsp;access&nbsp;by&nbsp;all&nbsp;users,&nbsp;or&nbsp;even&nbsp;access&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">9)(Citation:&nbsp;Google&nbsp;Cloud&nbsp;Storage&nbsp;Best&nbsp;Practices,&nbsp;2019)&nbsp;Ther</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">for&nbsp;any&nbsp;anonymous&nbsp;person&nbsp;outside&nbsp;the&nbsp;control&nbsp;of&nbsp;the&nbsp;Identity</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;have&nbsp;been&nbsp;numerous&nbsp;incidents&nbsp;where&nbsp;cloud&nbsp;storage&nbsp;has&nbsp;been&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Access&nbsp;Management&nbsp;system&nbsp;without&nbsp;even&nbsp;needing&nbsp;basic&nbsp;user&nbsp;pe</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">improperly&nbsp;secured,&nbsp;typically&nbsp;by&nbsp;unintentionally&nbsp;allowing&nbsp;pu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rmissions.&nbsp;&nbsp;This&nbsp;open&nbsp;access&nbsp;may&nbsp;expose&nbsp;various&nbsp;types&nbsp;of&nbsp;sen</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">blic&nbsp;access&nbsp;to&nbsp;unauthenticated&nbsp;users,&nbsp;overly-broad&nbsp;access&nbsp;by</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">sitive&nbsp;data,&nbsp;such&nbsp;as&nbsp;credit&nbsp;cards,&nbsp;personally&nbsp;identifiable&nbsp;i</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;all&nbsp;users,&nbsp;or&nbsp;even&nbsp;access&nbsp;for&nbsp;any&nbsp;anonymous&nbsp;person&nbsp;outside&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nformation,&nbsp;or&nbsp;medical&nbsp;records.(Citation:&nbsp;Trend&nbsp;Micro&nbsp;S3&nbsp;Exp</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">the&nbsp;control&nbsp;of&nbsp;the&nbsp;Identity&nbsp;Access&nbsp;Management&nbsp;system&nbsp;without</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">osed&nbsp;PII,&nbsp;2017)(Citation:&nbsp;Wired&nbsp;Magecart&nbsp;S3&nbsp;Buckets,&nbsp;2019)(C</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;even&nbsp;needing&nbsp;basic&nbsp;user&nbsp;permissions.&nbsp;&nbsp;This&nbsp;open&nbsp;access&nbsp;may&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">itation:&nbsp;HIPAA&nbsp;Journal&nbsp;S3&nbsp;Breach,&nbsp;2017)(Citation:&nbsp;Rclone-meg</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">expose&nbsp;various&nbsp;types&nbsp;of&nbsp;sensitive&nbsp;data,&nbsp;such&nbsp;as&nbsp;credit&nbsp;cards</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">a-extortion_05_2021)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;obtain&nbsp;then&nbsp;abuse</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">,&nbsp;personally&nbsp;identifiable&nbsp;information,&nbsp;or&nbsp;medical&nbsp;records.(C</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;leaked&nbsp;credentials&nbsp;from&nbsp;source&nbsp;repositories,&nbsp;logs,&nbsp;or&nbsp;other</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">itation:&nbsp;Trend&nbsp;Micro&nbsp;S3&nbsp;Exposed&nbsp;PII,&nbsp;2017)(Citation:&nbsp;Wired&nbsp;M</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;means&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;cloud&nbsp;storage&nbsp;objects.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">agecart&nbsp;S3&nbsp;Buckets,&nbsp;2019)(Citation:&nbsp;HIPAA&nbsp;Journal&nbsp;S3&nbsp;Breach,</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;2017)(Citation:&nbsp;Rclone-mega-extortion_05_2021)&nbsp;&nbsp;Adversaries</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;may&nbsp;also&nbsp;obtain&nbsp;then&nbsp;abuse&nbsp;leaked&nbsp;credentials&nbsp;from&nbsp;source&nbsp;r</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">epositories,&nbsp;logs,&nbsp;or&nbsp;other&nbsp;means&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;gain&nbsp;access&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;cloud&nbsp;storage&nbsp;objects.</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -4926,7 +4926,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.2.0\", \"root['x_mitre_contributors']\": [\"Tom Simpson, CrowdStrike Falcon OverWatch\"], \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 14:19:18.804000+00:00\", \"old_value\": \"2021-02-09 14:09:00.753000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n\\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\", \"old_value\": \"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n\\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n+Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n \\n-Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)\\n+Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"LOLBAS Esentutl\", \"description\": \"LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.\", \"url\": \"https://lolbas-project.github.io/lolbas/Binaries/Esentutl/\"}, \"root['x_mitre_data_sources'][0]\": \"File: File Creation\"}}",
                     "previous_version": "2.0",
                     "version_change": "2.0 \u2192 2.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to2__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to2__0\"><a href=\"#difflib_chg_to2__top\">t</a></td><td class=\"diff_header\" id=\"from2_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td><td class=\"diff_next\"><a href=\"#difflib_chg_to2__top\">t</a></td><td class=\"diff_header\" id=\"to2_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ve&nbsp;by&nbsp;analyzing&nbsp;file&nbsp;system&nbsp;data&nbsp;structures.&nbsp;This&nbsp;technique&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ve&nbsp;by&nbsp;analyzing&nbsp;file&nbsp;system&nbsp;data&nbsp;structures.&nbsp;This&nbsp;technique&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">bypass<span class=\"diff_sub\">es</span>&nbsp;Windows&nbsp;file&nbsp;access&nbsp;controls&nbsp;as&nbsp;well&nbsp;as&nbsp;file&nbsp;system</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">may&nbsp;</span>bypass&nbsp;Windows&nbsp;file&nbsp;access&nbsp;controls&nbsp;as&nbsp;well&nbsp;as&nbsp;file&nbsp;syst</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;monitoring&nbsp;tools.&nbsp;(Citation:&nbsp;Hakobyan&nbsp;2009)&nbsp;&nbsp;Utilities,&nbsp;suc</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">em&nbsp;monitoring&nbsp;tools.&nbsp;(Citation:&nbsp;Hakobyan&nbsp;2009)&nbsp;&nbsp;Utilities,&nbsp;s</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">h&nbsp;as&nbsp;NinjaCopy,&nbsp;exist&nbsp;to&nbsp;perform&nbsp;these&nbsp;actions&nbsp;in&nbsp;PowerShell</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;<span class=\"diff_add\">`</span>NinjaCopy<span class=\"diff_add\">`</span>,&nbsp;exist&nbsp;to&nbsp;perform&nbsp;these&nbsp;actions&nbsp;in&nbsp;PowerS</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.<span class=\"diff_sub\">&nbsp;</span>(Citation:&nbsp;Github&nbsp;PowerSploit&nbsp;Ninjacopy)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hell.(Citation:&nbsp;Github&nbsp;PowerSploit&nbsp;Ninjacopy)<span class=\"diff_add\">&nbsp;Adversaries&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;also&nbsp;use&nbsp;built-in&nbsp;or&nbsp;third-party&nbsp;utilities&nbsp;(such&nbsp;as&nbsp;`vssad</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">min`,&nbsp;`wbadmin`,&nbsp;and&nbsp;[esentutl](https://attack.mitre.org/sof</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tware/S0404))&nbsp;to&nbsp;create&nbsp;shadow&nbsp;copies&nbsp;or&nbsp;backups&nbsp;of&nbsp;data&nbsp;fro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">m&nbsp;system&nbsp;volumes.(Citation:&nbsp;LOLBAS&nbsp;Esentutl)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to22__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to22__0\"><a href=\"#difflib_chg_to22__top\">t</a></td><td class=\"diff_header\" id=\"from22_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td><td class=\"diff_next\"><a href=\"#difflib_chg_to22__top\">t</a></td><td class=\"diff_header\" id=\"to22_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ve&nbsp;by&nbsp;analyzing&nbsp;file&nbsp;system&nbsp;data&nbsp;structures.&nbsp;This&nbsp;technique&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ve&nbsp;by&nbsp;analyzing&nbsp;file&nbsp;system&nbsp;data&nbsp;structures.&nbsp;This&nbsp;technique&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">bypass<span class=\"diff_sub\">es</span>&nbsp;Windows&nbsp;file&nbsp;access&nbsp;controls&nbsp;as&nbsp;well&nbsp;as&nbsp;file&nbsp;system</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">may&nbsp;</span>bypass&nbsp;Windows&nbsp;file&nbsp;access&nbsp;controls&nbsp;as&nbsp;well&nbsp;as&nbsp;file&nbsp;syst</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;monitoring&nbsp;tools.&nbsp;(Citation:&nbsp;Hakobyan&nbsp;2009)&nbsp;&nbsp;Utilities,&nbsp;suc</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">em&nbsp;monitoring&nbsp;tools.&nbsp;(Citation:&nbsp;Hakobyan&nbsp;2009)&nbsp;&nbsp;Utilities,&nbsp;s</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">h&nbsp;as&nbsp;NinjaCopy,&nbsp;exist&nbsp;to&nbsp;perform&nbsp;these&nbsp;actions&nbsp;in&nbsp;PowerShell</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;<span class=\"diff_add\">`</span>NinjaCopy<span class=\"diff_add\">`</span>,&nbsp;exist&nbsp;to&nbsp;perform&nbsp;these&nbsp;actions&nbsp;in&nbsp;PowerS</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.<span class=\"diff_sub\">&nbsp;</span>(Citation:&nbsp;Github&nbsp;PowerSploit&nbsp;Ninjacopy)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hell.(Citation:&nbsp;Github&nbsp;PowerSploit&nbsp;Ninjacopy)<span class=\"diff_add\">&nbsp;Adversaries&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;also&nbsp;use&nbsp;built-in&nbsp;or&nbsp;third-party&nbsp;utilities&nbsp;(such&nbsp;as&nbsp;`vssad</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">min`,&nbsp;`wbadmin`,&nbsp;and&nbsp;[esentutl](https://attack.mitre.org/sof</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tware/S0404))&nbsp;to&nbsp;create&nbsp;shadow&nbsp;copies&nbsp;or&nbsp;backups&nbsp;of&nbsp;data&nbsp;fro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">m&nbsp;system&nbsp;volumes.(Citation:&nbsp;LOLBAS&nbsp;Esentutl)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [],
                         "new": [
@@ -5548,7 +5548,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 11:45:21.555000+00:00\", \"old_value\": \"2022-04-28 16:06:49.447000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0\\n\\nCredentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)\\n\\nSuch exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)\\n\\nExploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\", \"old_value\": \"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,7 @@\\n-Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\\n+Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0\\n+\\n+Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack)\\n+\\n+Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access)\\n+\\n+Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Bugcrowd Replay Attack\", \"description\": \"Bugcrowd. (n.d.). Replay Attack. Retrieved September 27, 2023.\", \"url\": \"https://www.bugcrowd.com/glossary/replay-attack/\"}, \"root['external_references'][2]\": {\"source_name\": \"Comparitech Replay Attack\", \"description\": \"Justin Schamotta. (2022, October 28). What is a replay attack?. Retrieved September 27, 2023.\", \"url\": \"https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/\"}, \"root['external_references'][4]\": {\"source_name\": \"Storm-0558 techniques for unauthorized email access\", \"description\": \"Microsoft Threat Intelligence. (2023, July 14). Analysis of Storm-0558 techniques for unauthorized email access. Retrieved September 18, 2023.\", \"url\": \"https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/\"}, \"root['external_references'][5]\": {\"source_name\": \"Microsoft Midnight Blizzard Replay Attack\", \"description\": \"Microsoft Threat Intelligence. (2023, June 21). Credential Attacks. Retrieved September 27, 2023.\", \"url\": \"https://twitter.com/MsftSecIntel/status/1671579359994343425\"}, \"root['x_mitre_contributors'][1]\": \"Mohit Rathore\", \"root['x_mitre_platforms'][3]\": \"Azure AD\"}}",
                     "previous_version": "1.4",
                     "version_change": "1.4 \u2192 1.5",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to38__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to38__0\"><a href=\"#difflib_chg_to38__top\">t</a></td><td class=\"diff_header\" id=\"from38_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;exploit&nbsp;software&nbsp;vulnerabilities&nbsp;in&nbsp;an&nbsp;attem</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to38__top\">t</a></td><td class=\"diff_header\" id=\"to38_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;exploit&nbsp;software&nbsp;vulnerabilities&nbsp;in&nbsp;an&nbsp;attem</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">pt&nbsp;to&nbsp;collect&nbsp;credentials.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vulner</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">pt&nbsp;to&nbsp;collect&nbsp;credentials.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vulner</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;progra</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;progra</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">mming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ystem&nbsp;software&nbsp;or&nbsp;kernel&nbsp;itself&nbsp;to&nbsp;execute&nbsp;adversary-control</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ystem&nbsp;software&nbsp;or&nbsp;kernel&nbsp;itself&nbsp;to&nbsp;execute&nbsp;adversary-control</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">led&nbsp;code.\u00a0Credentialing&nbsp;and&nbsp;authentication&nbsp;mechanisms&nbsp;may&nbsp;be</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">led&nbsp;code.\u00a0&nbsp;&nbsp;Credentialing&nbsp;and&nbsp;authentication&nbsp;mechanisms&nbsp;may&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;targeted&nbsp;for&nbsp;exploitation&nbsp;by&nbsp;adversaries&nbsp;as&nbsp;a&nbsp;means&nbsp;to&nbsp;gain</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">be&nbsp;targeted&nbsp;for&nbsp;exploitation&nbsp;by&nbsp;adversaries&nbsp;as&nbsp;a&nbsp;means&nbsp;to&nbsp;ga</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;access&nbsp;to&nbsp;useful&nbsp;credentials&nbsp;or&nbsp;circumvent&nbsp;the&nbsp;process&nbsp;to&nbsp;g</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">in&nbsp;access&nbsp;to&nbsp;useful&nbsp;credentials&nbsp;or&nbsp;circumvent&nbsp;the&nbsp;process&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ain&nbsp;access&nbsp;to&nbsp;systems.&nbsp;One&nbsp;example&nbsp;of&nbsp;this&nbsp;is&nbsp;MS14-068,&nbsp;whic</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;gain&nbsp;authenticated&nbsp;access&nbsp;to&nbsp;systems.&nbsp;One&nbsp;example&nbsp;of&nbsp;this&nbsp;i</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">h&nbsp;targets&nbsp;Kerberos&nbsp;and&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;forge&nbsp;Kerberos&nbsp;tickets</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;`MS14-068`,&nbsp;which&nbsp;targets&nbsp;Kerberos&nbsp;and&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;forg</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;using&nbsp;domain&nbsp;user&nbsp;permissions.(Citation:&nbsp;Technet&nbsp;MS14-068)(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;Kerberos&nbsp;tickets&nbsp;using&nbsp;domain&nbsp;user&nbsp;permissions.(Citation:&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Citation:&nbsp;ADSecurity&nbsp;Detecting&nbsp;Forged&nbsp;Tickets)&nbsp;Exploitation&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Technet&nbsp;MS14-068)(Citation:&nbsp;ADSecurity&nbsp;Detecting&nbsp;Forged&nbsp;Tick</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">for&nbsp;credential&nbsp;access&nbsp;may&nbsp;also&nbsp;result&nbsp;in&nbsp;Privilege&nbsp;Escalatio</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ets)&nbsp;Another&nbsp;example&nbsp;of&nbsp;this&nbsp;is&nbsp;replay&nbsp;attacks,&nbsp;in&nbsp;which&nbsp;the</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n&nbsp;depending&nbsp;on&nbsp;the&nbsp;process&nbsp;targeted&nbsp;or&nbsp;credentials&nbsp;obtained.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;adversary&nbsp;intercepts&nbsp;data&nbsp;packets&nbsp;sent&nbsp;between&nbsp;parties&nbsp;and&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">then&nbsp;later&nbsp;replays&nbsp;these&nbsp;packets.&nbsp;If&nbsp;services&nbsp;don't&nbsp;properly</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;validate&nbsp;authentication&nbsp;requests,&nbsp;these&nbsp;replayed&nbsp;packets&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;allow&nbsp;an&nbsp;adversary&nbsp;to&nbsp;impersonate&nbsp;one&nbsp;of&nbsp;the&nbsp;parties&nbsp;and&nbsp;g</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ain&nbsp;unauthorized&nbsp;access&nbsp;or&nbsp;privileges.(Citation:&nbsp;Bugcrowd&nbsp;Re</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">play&nbsp;Attack)(Citation:&nbsp;Comparitech&nbsp;Replay&nbsp;Attack)(Citation:&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Microsoft&nbsp;Midnight&nbsp;Blizzard&nbsp;Replay&nbsp;Attack)&nbsp;&nbsp;Such&nbsp;exploitatio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">n&nbsp;has&nbsp;been&nbsp;demonstrated&nbsp;in&nbsp;cloud&nbsp;environments&nbsp;as&nbsp;well.&nbsp;For&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xample,&nbsp;adversaries&nbsp;have&nbsp;exploited&nbsp;vulnerabilities&nbsp;in&nbsp;public</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;cloud&nbsp;infrastructure&nbsp;that&nbsp;allowed&nbsp;for&nbsp;unintended&nbsp;authentica</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tion&nbsp;token&nbsp;creation&nbsp;and&nbsp;renewal.(Citation:&nbsp;Storm-0558&nbsp;techni</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ques&nbsp;for&nbsp;unauthorized&nbsp;email&nbsp;access)&nbsp;&nbsp;Exploitation&nbsp;for&nbsp;creden</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tial&nbsp;access&nbsp;may&nbsp;also&nbsp;result&nbsp;in&nbsp;Privilege&nbsp;Escalation&nbsp;dependin</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g&nbsp;on&nbsp;the&nbsp;process&nbsp;targeted&nbsp;or&nbsp;credentials&nbsp;obtained.</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to32__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to32__0\"><a href=\"#difflib_chg_to32__top\">t</a></td><td class=\"diff_header\" id=\"from32_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;exploit&nbsp;software&nbsp;vulnerabilities&nbsp;in&nbsp;an&nbsp;attem</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to32__top\">t</a></td><td class=\"diff_header\" id=\"to32_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;exploit&nbsp;software&nbsp;vulnerabilities&nbsp;in&nbsp;an&nbsp;attem</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">pt&nbsp;to&nbsp;collect&nbsp;credentials.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vulner</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">pt&nbsp;to&nbsp;collect&nbsp;credentials.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vulner</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;progra</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;progra</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">mming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ystem&nbsp;software&nbsp;or&nbsp;kernel&nbsp;itself&nbsp;to&nbsp;execute&nbsp;adversary-control</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ystem&nbsp;software&nbsp;or&nbsp;kernel&nbsp;itself&nbsp;to&nbsp;execute&nbsp;adversary-control</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">led&nbsp;code.\u00a0Credentialing&nbsp;and&nbsp;authentication&nbsp;mechanisms&nbsp;may&nbsp;be</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">led&nbsp;code.\u00a0&nbsp;&nbsp;Credentialing&nbsp;and&nbsp;authentication&nbsp;mechanisms&nbsp;may&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;targeted&nbsp;for&nbsp;exploitation&nbsp;by&nbsp;adversaries&nbsp;as&nbsp;a&nbsp;means&nbsp;to&nbsp;gain</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">be&nbsp;targeted&nbsp;for&nbsp;exploitation&nbsp;by&nbsp;adversaries&nbsp;as&nbsp;a&nbsp;means&nbsp;to&nbsp;ga</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;access&nbsp;to&nbsp;useful&nbsp;credentials&nbsp;or&nbsp;circumvent&nbsp;the&nbsp;process&nbsp;to&nbsp;g</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">in&nbsp;access&nbsp;to&nbsp;useful&nbsp;credentials&nbsp;or&nbsp;circumvent&nbsp;the&nbsp;process&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ain&nbsp;access&nbsp;to&nbsp;systems.&nbsp;One&nbsp;example&nbsp;of&nbsp;this&nbsp;is&nbsp;MS14-068,&nbsp;whic</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;gain&nbsp;authenticated&nbsp;access&nbsp;to&nbsp;systems.&nbsp;One&nbsp;example&nbsp;of&nbsp;this&nbsp;i</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">h&nbsp;targets&nbsp;Kerberos&nbsp;and&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;forge&nbsp;Kerberos&nbsp;tickets</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;`MS14-068`,&nbsp;which&nbsp;targets&nbsp;Kerberos&nbsp;and&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;forg</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;using&nbsp;domain&nbsp;user&nbsp;permissions.(Citation:&nbsp;Technet&nbsp;MS14-068)(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;Kerberos&nbsp;tickets&nbsp;using&nbsp;domain&nbsp;user&nbsp;permissions.(Citation:&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Citation:&nbsp;ADSecurity&nbsp;Detecting&nbsp;Forged&nbsp;Tickets)&nbsp;Exploitation&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Technet&nbsp;MS14-068)(Citation:&nbsp;ADSecurity&nbsp;Detecting&nbsp;Forged&nbsp;Tick</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">for&nbsp;credential&nbsp;access&nbsp;may&nbsp;also&nbsp;result&nbsp;in&nbsp;Privilege&nbsp;Escalatio</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ets)&nbsp;Another&nbsp;example&nbsp;of&nbsp;this&nbsp;is&nbsp;replay&nbsp;attacks,&nbsp;in&nbsp;which&nbsp;the</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n&nbsp;depending&nbsp;on&nbsp;the&nbsp;process&nbsp;targeted&nbsp;or&nbsp;credentials&nbsp;obtained.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;adversary&nbsp;intercepts&nbsp;data&nbsp;packets&nbsp;sent&nbsp;between&nbsp;parties&nbsp;and&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">then&nbsp;later&nbsp;replays&nbsp;these&nbsp;packets.&nbsp;If&nbsp;services&nbsp;don't&nbsp;properly</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;validate&nbsp;authentication&nbsp;requests,&nbsp;these&nbsp;replayed&nbsp;packets&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;allow&nbsp;an&nbsp;adversary&nbsp;to&nbsp;impersonate&nbsp;one&nbsp;of&nbsp;the&nbsp;parties&nbsp;and&nbsp;g</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ain&nbsp;unauthorized&nbsp;access&nbsp;or&nbsp;privileges.(Citation:&nbsp;Bugcrowd&nbsp;Re</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">play&nbsp;Attack)(Citation:&nbsp;Comparitech&nbsp;Replay&nbsp;Attack)(Citation:&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Microsoft&nbsp;Midnight&nbsp;Blizzard&nbsp;Replay&nbsp;Attack)&nbsp;&nbsp;Such&nbsp;exploitatio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">n&nbsp;has&nbsp;been&nbsp;demonstrated&nbsp;in&nbsp;cloud&nbsp;environments&nbsp;as&nbsp;well.&nbsp;For&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xample,&nbsp;adversaries&nbsp;have&nbsp;exploited&nbsp;vulnerabilities&nbsp;in&nbsp;public</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;cloud&nbsp;infrastructure&nbsp;that&nbsp;allowed&nbsp;for&nbsp;unintended&nbsp;authentica</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tion&nbsp;token&nbsp;creation&nbsp;and&nbsp;renewal.(Citation:&nbsp;Storm-0558&nbsp;techni</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ques&nbsp;for&nbsp;unauthorized&nbsp;email&nbsp;access)&nbsp;&nbsp;Exploitation&nbsp;for&nbsp;creden</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tial&nbsp;access&nbsp;may&nbsp;also&nbsp;result&nbsp;in&nbsp;Privilege&nbsp;Escalation&nbsp;dependin</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g&nbsp;on&nbsp;the&nbsp;process&nbsp;targeted&nbsp;or&nbsp;credentials&nbsp;obtained.</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1019: Threat Intelligence Program",
@@ -5641,7 +5641,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 11:41:47.274000+00:00\", \"old_value\": \"2022-04-28 16:10:16.632000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n\\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\\n\\nThere have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)\", \"old_value\": \"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n\\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n+Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\\n \\n Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.\\n+\\n+There have also been examples of vulnerabilities in public cloud infrastructure of SaaS applications that may bypass defense boundaries (Citation: Salesforce zero-day in facebook phishing attack), evade security logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden infrastructure.(Citation: GhostToken GCP flaw)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Salesforce zero-day in facebook phishing attack\", \"description\": \"Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.\", \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\"}, \"root['external_references'][2]\": {\"source_name\": \"Bypassing CloudTrail in AWS Service Catalog\", \"description\": \"Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.\", \"url\": \"https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/\"}, \"root['external_references'][3]\": {\"source_name\": \"GhostToken GCP flaw\", \"description\": \"Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.\", \"url\": \"https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/\"}, \"root['x_mitre_platforms'][3]\": \"SaaS\", \"root['x_mitre_platforms'][4]\": \"IaaS\"}}",
                     "previous_version": "1.3",
                     "version_change": "1.3 \u2192 1.4",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to35__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to35__0\"><a href=\"#difflib_chg_to35__top\">t</a></td><td class=\"diff_header\" id=\"from35_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;exploit&nbsp;a&nbsp;system&nbsp;or&nbsp;application&nbsp;vulnerabilit</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to35__top\">t</a></td><td class=\"diff_header\" id=\"to35_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;exploit&nbsp;a&nbsp;system&nbsp;or&nbsp;application&nbsp;vulnerabilit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;to&nbsp;bypass&nbsp;security&nbsp;features.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;to&nbsp;bypass&nbsp;security&nbsp;features.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;vulnerabili</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lnerability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;pr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ty&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;programming</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ogramming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operati</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;system</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ng&nbsp;system&nbsp;software&nbsp;or&nbsp;kernel&nbsp;itself&nbsp;to&nbsp;execute&nbsp;adversary-con</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;software&nbsp;or&nbsp;kernel&nbsp;itself&nbsp;to&nbsp;execute&nbsp;adversary-controlled&nbsp;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">trolled&nbsp;code.\u00a0Vulnerabilities&nbsp;may&nbsp;exist&nbsp;in&nbsp;defensive&nbsp;securit</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ode.\u00a0Vulnerabilities&nbsp;may&nbsp;exist&nbsp;in&nbsp;defensive&nbsp;security&nbsp;softwar</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;software&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;disable&nbsp;or&nbsp;circumvent&nbsp;them.&nbsp;&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;disable&nbsp;or&nbsp;circumvent&nbsp;them.&nbsp;&nbsp;Adversari</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;have&nbsp;prior&nbsp;knowledge&nbsp;through&nbsp;reconnaissance&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">es&nbsp;may&nbsp;have&nbsp;prior&nbsp;knowledge&nbsp;through&nbsp;reconnaissance&nbsp;that&nbsp;secu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">that&nbsp;security&nbsp;software&nbsp;exists&nbsp;within&nbsp;an&nbsp;environment&nbsp;or&nbsp;they&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rity&nbsp;software&nbsp;exists&nbsp;within&nbsp;an&nbsp;environment&nbsp;or&nbsp;they&nbsp;may&nbsp;perfo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">may&nbsp;perform&nbsp;checks&nbsp;during&nbsp;or&nbsp;shortly&nbsp;after&nbsp;the&nbsp;system&nbsp;is&nbsp;com</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rm&nbsp;checks&nbsp;during&nbsp;or&nbsp;shortly&nbsp;after&nbsp;the&nbsp;system&nbsp;is&nbsp;compromised&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">promised&nbsp;for&nbsp;[Security&nbsp;Software&nbsp;Discovery](https://attack.mi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">for&nbsp;[Security&nbsp;Software&nbsp;Discovery](https://attack.mitre.org/t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tre.org/techniques/T1518/001).&nbsp;The&nbsp;security&nbsp;software&nbsp;will&nbsp;li</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">echniques/T1518/001).&nbsp;The&nbsp;security&nbsp;software&nbsp;will&nbsp;likely&nbsp;be&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">kely&nbsp;be&nbsp;targeted&nbsp;directly&nbsp;for&nbsp;exploitation.&nbsp;There&nbsp;are&nbsp;exampl</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">argeted&nbsp;directly&nbsp;for&nbsp;exploitation.&nbsp;There&nbsp;are&nbsp;examples&nbsp;of&nbsp;ant</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;of&nbsp;antivirus&nbsp;software&nbsp;being&nbsp;targeted&nbsp;by&nbsp;persistent&nbsp;threat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ivirus&nbsp;software&nbsp;being&nbsp;targeted&nbsp;by&nbsp;persistent&nbsp;threat&nbsp;groups&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;groups&nbsp;to&nbsp;avoid&nbsp;detection.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;avoid&nbsp;detection.&nbsp;&nbsp;There&nbsp;have&nbsp;also&nbsp;been&nbsp;examples&nbsp;of&nbsp;vulnera</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">bilities&nbsp;in&nbsp;public&nbsp;cloud&nbsp;infrastructure&nbsp;of&nbsp;SaaS&nbsp;applications</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;that&nbsp;may&nbsp;bypass&nbsp;defense&nbsp;boundaries&nbsp;(Citation:&nbsp;Salesforce&nbsp;ze</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ro-day&nbsp;in&nbsp;facebook&nbsp;phishing&nbsp;attack),&nbsp;evade&nbsp;security&nbsp;logs&nbsp;(Ci</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tation:&nbsp;Bypassing&nbsp;CloudTrail&nbsp;in&nbsp;AWS&nbsp;Service&nbsp;Catalog),&nbsp;or&nbsp;dep</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">loy&nbsp;hidden&nbsp;infrastructure.(Citation:&nbsp;GhostToken&nbsp;GCP&nbsp;flaw)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to0__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to0__0\"><a href=\"#difflib_chg_to0__top\">t</a></td><td class=\"diff_header\" id=\"from0_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;exploit&nbsp;a&nbsp;system&nbsp;or&nbsp;application&nbsp;vulnerabilit</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to0__top\">t</a></td><td class=\"diff_header\" id=\"to0_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;exploit&nbsp;a&nbsp;system&nbsp;or&nbsp;application&nbsp;vulnerabilit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;to&nbsp;bypass&nbsp;security&nbsp;features.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;software&nbsp;vu</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">y&nbsp;to&nbsp;bypass&nbsp;security&nbsp;features.&nbsp;Exploitation&nbsp;of&nbsp;a&nbsp;vulnerabili</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lnerability&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;pr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ty&nbsp;occurs&nbsp;when&nbsp;an&nbsp;adversary&nbsp;takes&nbsp;advantage&nbsp;of&nbsp;a&nbsp;programming</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ogramming&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operati</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;error&nbsp;in&nbsp;a&nbsp;program,&nbsp;service,&nbsp;or&nbsp;within&nbsp;the&nbsp;operating&nbsp;system</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ng&nbsp;system&nbsp;software&nbsp;or&nbsp;kernel&nbsp;itself&nbsp;to&nbsp;execute&nbsp;adversary-con</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;software&nbsp;or&nbsp;kernel&nbsp;itself&nbsp;to&nbsp;execute&nbsp;adversary-controlled&nbsp;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">trolled&nbsp;code.\u00a0Vulnerabilities&nbsp;may&nbsp;exist&nbsp;in&nbsp;defensive&nbsp;securit</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ode.\u00a0Vulnerabilities&nbsp;may&nbsp;exist&nbsp;in&nbsp;defensive&nbsp;security&nbsp;softwar</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;software&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;disable&nbsp;or&nbsp;circumvent&nbsp;them.&nbsp;&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;disable&nbsp;or&nbsp;circumvent&nbsp;them.&nbsp;&nbsp;Adversari</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;have&nbsp;prior&nbsp;knowledge&nbsp;through&nbsp;reconnaissance&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">es&nbsp;may&nbsp;have&nbsp;prior&nbsp;knowledge&nbsp;through&nbsp;reconnaissance&nbsp;that&nbsp;secu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">that&nbsp;security&nbsp;software&nbsp;exists&nbsp;within&nbsp;an&nbsp;environment&nbsp;or&nbsp;they&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rity&nbsp;software&nbsp;exists&nbsp;within&nbsp;an&nbsp;environment&nbsp;or&nbsp;they&nbsp;may&nbsp;perfo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">may&nbsp;perform&nbsp;checks&nbsp;during&nbsp;or&nbsp;shortly&nbsp;after&nbsp;the&nbsp;system&nbsp;is&nbsp;com</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rm&nbsp;checks&nbsp;during&nbsp;or&nbsp;shortly&nbsp;after&nbsp;the&nbsp;system&nbsp;is&nbsp;compromised&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">promised&nbsp;for&nbsp;[Security&nbsp;Software&nbsp;Discovery](https://attack.mi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">for&nbsp;[Security&nbsp;Software&nbsp;Discovery](https://attack.mitre.org/t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tre.org/techniques/T1518/001).&nbsp;The&nbsp;security&nbsp;software&nbsp;will&nbsp;li</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">echniques/T1518/001).&nbsp;The&nbsp;security&nbsp;software&nbsp;will&nbsp;likely&nbsp;be&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">kely&nbsp;be&nbsp;targeted&nbsp;directly&nbsp;for&nbsp;exploitation.&nbsp;There&nbsp;are&nbsp;exampl</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">argeted&nbsp;directly&nbsp;for&nbsp;exploitation.&nbsp;There&nbsp;are&nbsp;examples&nbsp;of&nbsp;ant</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;of&nbsp;antivirus&nbsp;software&nbsp;being&nbsp;targeted&nbsp;by&nbsp;persistent&nbsp;threat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ivirus&nbsp;software&nbsp;being&nbsp;targeted&nbsp;by&nbsp;persistent&nbsp;threat&nbsp;groups&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;groups&nbsp;to&nbsp;avoid&nbsp;detection.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;avoid&nbsp;detection.&nbsp;&nbsp;There&nbsp;have&nbsp;also&nbsp;been&nbsp;examples&nbsp;of&nbsp;vulnera</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">bilities&nbsp;in&nbsp;public&nbsp;cloud&nbsp;infrastructure&nbsp;of&nbsp;SaaS&nbsp;applications</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;that&nbsp;may&nbsp;bypass&nbsp;defense&nbsp;boundaries&nbsp;(Citation:&nbsp;Salesforce&nbsp;ze</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ro-day&nbsp;in&nbsp;facebook&nbsp;phishing&nbsp;attack),&nbsp;evade&nbsp;security&nbsp;logs&nbsp;(Ci</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tation:&nbsp;Bypassing&nbsp;CloudTrail&nbsp;in&nbsp;AWS&nbsp;Service&nbsp;Catalog),&nbsp;or&nbsp;dep</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">loy&nbsp;hidden&nbsp;infrastructure.(Citation:&nbsp;GhostToken&nbsp;GCP&nbsp;flaw)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1019: Threat Intelligence Program",
@@ -5931,7 +5931,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 11:10:03.428000+00:00\", \"old_value\": \"2023-05-04 18:05:16.877000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\\n\\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\\n\\nThe generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)\\n\\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)  \", \"old_value\": \"Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\\n\\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)\\n\\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)  \", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\\n \\n-Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)\\n+Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\\n+\\n+The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)), or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication key that can be used to generate tokens for any user in the domain.(Citation: AWS Temporary Security Credentials)(Citation: Zimbra Preauth)\\n \\n Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)  \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Zimbra Preauth\", \"description\": \"Zimbra. (2023, March 16). Preauth. Retrieved May 31, 2023.\", \"url\": \"https://wiki.zimbra.com/wiki/Preauth\"}}}",
                     "previous_version": "1.3",
                     "version_change": "1.3 \u2192 1.4",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to18__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to18__0\"><a href=\"#difflib_chg_to18__top\">t</a></td><td class=\"diff_header\" id=\"from18_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;forge&nbsp;credential&nbsp;materials&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to18__top\">t</a></td><td class=\"diff_header\" id=\"to18_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;forge&nbsp;credential&nbsp;materials&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Internet&nbsp;services.&nbsp;Web</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Internet&nbsp;services.&nbsp;Web</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;applications&nbsp;and&nbsp;services&nbsp;(hosted&nbsp;in&nbsp;cloud&nbsp;SaaS&nbsp;environment</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;applications&nbsp;and&nbsp;services&nbsp;(hosted&nbsp;in&nbsp;cloud&nbsp;SaaS&nbsp;environment</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;or&nbsp;on-premise&nbsp;servers)&nbsp;often&nbsp;use&nbsp;session&nbsp;cookies,&nbsp;tokens,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;or&nbsp;on-premise&nbsp;servers)&nbsp;often&nbsp;use&nbsp;session&nbsp;cookies,&nbsp;tokens,&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;other&nbsp;materials&nbsp;to&nbsp;authenticate&nbsp;and&nbsp;authorize&nbsp;user&nbsp;access</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;other&nbsp;materials&nbsp;to&nbsp;authenticate&nbsp;and&nbsp;authorize&nbsp;user&nbsp;access</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;generate&nbsp;these&nbsp;credential&nbsp;materials&nbsp;in&nbsp;or</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;generate&nbsp;these&nbsp;credential&nbsp;materials&nbsp;in&nbsp;or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">der&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;resources.&nbsp;This&nbsp;differs&nbsp;from&nbsp;[Stea</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">der&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;resources.&nbsp;This&nbsp;differs&nbsp;from&nbsp;[Stea</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">l&nbsp;Web&nbsp;Session&nbsp;Cookie](https://attack.mitre.org/techniques/T1</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">l&nbsp;Web&nbsp;Session&nbsp;Cookie](https://attack.mitre.org/techniques/T1</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">539),&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](https://attack.mitre.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">539),&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](https://attack.mitre.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">org/techniques/T1528),&nbsp;and&nbsp;other&nbsp;similar&nbsp;behaviors&nbsp;in&nbsp;that&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">org/techniques/T1528),&nbsp;and&nbsp;other&nbsp;similar&nbsp;behaviors&nbsp;in&nbsp;that&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;credentials&nbsp;are&nbsp;new&nbsp;and&nbsp;forged&nbsp;by&nbsp;the&nbsp;adversary,&nbsp;rather&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;credentials&nbsp;are&nbsp;new&nbsp;and&nbsp;forged&nbsp;by&nbsp;the&nbsp;adversary,&nbsp;rather&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">han&nbsp;stolen&nbsp;or&nbsp;intercepted&nbsp;from&nbsp;legitimate&nbsp;users.&nbsp;The&nbsp;generat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">han&nbsp;stolen&nbsp;or&nbsp;intercepted&nbsp;from&nbsp;legitimate&nbsp;users.&nbsp;<span class=\"diff_add\">&nbsp;</span>The&nbsp;genera</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion&nbsp;of&nbsp;web&nbsp;credentials&nbsp;often&nbsp;requires&nbsp;secret&nbsp;values,&nbsp;such&nbsp;as</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;of&nbsp;web&nbsp;credentials&nbsp;often&nbsp;requires&nbsp;secret&nbsp;values,&nbsp;such&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;passwords,&nbsp;[Private&nbsp;Keys](https://attack.mitre.org/techniqu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;passwords,&nbsp;[Private&nbsp;Keys](https://attack.mitre.org/techniq</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es/T1552/004),&nbsp;or&nbsp;other&nbsp;cryptographic&nbsp;seed&nbsp;values.(Citation:</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ues/T1552/004),&nbsp;or&nbsp;other&nbsp;cryptographic&nbsp;seed&nbsp;values.(Citation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;GitHub&nbsp;AWS-ADFS-Credential-Generator)&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;GitHub&nbsp;AWS-ADFS-Credential-Generator)&nbsp;Adversaries&nbsp;may&nbsp;also</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">forge&nbsp;tokens&nbsp;by&nbsp;taking&nbsp;advantage&nbsp;of&nbsp;features&nbsp;such&nbsp;as&nbsp;the&nbsp;`As</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;forge&nbsp;tokens&nbsp;by&nbsp;taking&nbsp;advantage&nbsp;of&nbsp;features&nbsp;such&nbsp;as&nbsp;the&nbsp;`A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sumeRole`&nbsp;and&nbsp;`GetFederationToken`&nbsp;APIs&nbsp;in&nbsp;AWS,&nbsp;which&nbsp;allow&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ssumeRole`&nbsp;and&nbsp;`GetFederationToken`&nbsp;APIs&nbsp;in&nbsp;AWS,&nbsp;which&nbsp;allow</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">users&nbsp;to&nbsp;request&nbsp;temporary&nbsp;security&nbsp;credentials.(Citation:&nbsp;A</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;users&nbsp;to&nbsp;request&nbsp;temporary&nbsp;security&nbsp;credentials<span class=\"diff_add\">&nbsp;(i.e.,&nbsp;[Tem</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">WS&nbsp;Temporary&nbsp;Security&nbsp;Credentials)&nbsp;&nbsp;Once&nbsp;forged,&nbsp;adversaries</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">porary&nbsp;Elevated&nbsp;Cloud&nbsp;Access](https://attack.mitre.org/techn</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;may&nbsp;use&nbsp;these&nbsp;web&nbsp;credentials&nbsp;to&nbsp;access&nbsp;resources&nbsp;(ex:&nbsp;[Use</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">iques/T1548/005)),&nbsp;or&nbsp;the&nbsp;`zmprov&nbsp;gdpak`&nbsp;command&nbsp;in&nbsp;Zimbra,&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Alternate&nbsp;Authentication&nbsp;Material](https://attack.mitre.org</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">which&nbsp;generates&nbsp;a&nbsp;pre-authentication&nbsp;key&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/techniques/T1550)),&nbsp;which&nbsp;may&nbsp;bypass&nbsp;multi-factor&nbsp;and&nbsp;other</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;generate&nbsp;tokens&nbsp;for&nbsp;any&nbsp;user&nbsp;in&nbsp;the&nbsp;domain</span>.(Citation:&nbsp;AWS&nbsp;T</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;authentication&nbsp;protection&nbsp;mechanisms.(Citation:&nbsp;Pass&nbsp;The&nbsp;Co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">emporary&nbsp;Security&nbsp;Credentials)<span class=\"diff_add\">(Citation:&nbsp;Zimbra&nbsp;Preauth)</span>&nbsp;&nbsp;On</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">okie)(Citation:&nbsp;Unit&nbsp;42&nbsp;Mac&nbsp;Crypto&nbsp;Cookies&nbsp;January&nbsp;2019)(Cit</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;forged,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;these&nbsp;web&nbsp;credentials&nbsp;to&nbsp;acce</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)&nbsp;&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ss&nbsp;resources&nbsp;(ex:&nbsp;[Use&nbsp;Alternate&nbsp;Authentication&nbsp;Material](ht</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tps://attack.mitre.org/techniques/T1550)),&nbsp;which&nbsp;may&nbsp;bypass&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">multi-factor&nbsp;and&nbsp;other&nbsp;authentication&nbsp;protection&nbsp;mechanisms.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;Pass&nbsp;The&nbsp;Cookie)(Citation:&nbsp;Unit&nbsp;42&nbsp;Mac&nbsp;Crypto&nbsp;Coo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">kies&nbsp;January&nbsp;2019)(Citation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;G</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uidance)&nbsp;&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to35__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to35__0\"><a href=\"#difflib_chg_to35__top\">t</a></td><td class=\"diff_header\" id=\"from35_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;forge&nbsp;credential&nbsp;materials&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to35__top\">t</a></td><td class=\"diff_header\" id=\"to35_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;forge&nbsp;credential&nbsp;materials&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Internet&nbsp;services.&nbsp;Web</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Internet&nbsp;services.&nbsp;Web</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;applications&nbsp;and&nbsp;services&nbsp;(hosted&nbsp;in&nbsp;cloud&nbsp;SaaS&nbsp;environment</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;applications&nbsp;and&nbsp;services&nbsp;(hosted&nbsp;in&nbsp;cloud&nbsp;SaaS&nbsp;environment</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;or&nbsp;on-premise&nbsp;servers)&nbsp;often&nbsp;use&nbsp;session&nbsp;cookies,&nbsp;tokens,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;or&nbsp;on-premise&nbsp;servers)&nbsp;often&nbsp;use&nbsp;session&nbsp;cookies,&nbsp;tokens,&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;other&nbsp;materials&nbsp;to&nbsp;authenticate&nbsp;and&nbsp;authorize&nbsp;user&nbsp;access</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;other&nbsp;materials&nbsp;to&nbsp;authenticate&nbsp;and&nbsp;authorize&nbsp;user&nbsp;access</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;generate&nbsp;these&nbsp;credential&nbsp;materials&nbsp;in&nbsp;or</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;generate&nbsp;these&nbsp;credential&nbsp;materials&nbsp;in&nbsp;or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">der&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;resources.&nbsp;This&nbsp;differs&nbsp;from&nbsp;[Stea</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">der&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;resources.&nbsp;This&nbsp;differs&nbsp;from&nbsp;[Stea</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">l&nbsp;Web&nbsp;Session&nbsp;Cookie](https://attack.mitre.org/techniques/T1</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">l&nbsp;Web&nbsp;Session&nbsp;Cookie](https://attack.mitre.org/techniques/T1</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">539),&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](https://attack.mitre.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">539),&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](https://attack.mitre.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">org/techniques/T1528),&nbsp;and&nbsp;other&nbsp;similar&nbsp;behaviors&nbsp;in&nbsp;that&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">org/techniques/T1528),&nbsp;and&nbsp;other&nbsp;similar&nbsp;behaviors&nbsp;in&nbsp;that&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;credentials&nbsp;are&nbsp;new&nbsp;and&nbsp;forged&nbsp;by&nbsp;the&nbsp;adversary,&nbsp;rather&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;credentials&nbsp;are&nbsp;new&nbsp;and&nbsp;forged&nbsp;by&nbsp;the&nbsp;adversary,&nbsp;rather&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">han&nbsp;stolen&nbsp;or&nbsp;intercepted&nbsp;from&nbsp;legitimate&nbsp;users.&nbsp;The&nbsp;generat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">han&nbsp;stolen&nbsp;or&nbsp;intercepted&nbsp;from&nbsp;legitimate&nbsp;users.&nbsp;<span class=\"diff_add\">&nbsp;</span>The&nbsp;genera</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion&nbsp;of&nbsp;web&nbsp;credentials&nbsp;often&nbsp;requires&nbsp;secret&nbsp;values,&nbsp;such&nbsp;as</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;of&nbsp;web&nbsp;credentials&nbsp;often&nbsp;requires&nbsp;secret&nbsp;values,&nbsp;such&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;passwords,&nbsp;[Private&nbsp;Keys](https://attack.mitre.org/techniqu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;passwords,&nbsp;[Private&nbsp;Keys](https://attack.mitre.org/techniq</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es/T1552/004),&nbsp;or&nbsp;other&nbsp;cryptographic&nbsp;seed&nbsp;values.(Citation:</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ues/T1552/004),&nbsp;or&nbsp;other&nbsp;cryptographic&nbsp;seed&nbsp;values.(Citation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;GitHub&nbsp;AWS-ADFS-Credential-Generator)&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;GitHub&nbsp;AWS-ADFS-Credential-Generator)&nbsp;Adversaries&nbsp;may&nbsp;also</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">forge&nbsp;tokens&nbsp;by&nbsp;taking&nbsp;advantage&nbsp;of&nbsp;features&nbsp;such&nbsp;as&nbsp;the&nbsp;`As</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;forge&nbsp;tokens&nbsp;by&nbsp;taking&nbsp;advantage&nbsp;of&nbsp;features&nbsp;such&nbsp;as&nbsp;the&nbsp;`A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sumeRole`&nbsp;and&nbsp;`GetFederationToken`&nbsp;APIs&nbsp;in&nbsp;AWS,&nbsp;which&nbsp;allow&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ssumeRole`&nbsp;and&nbsp;`GetFederationToken`&nbsp;APIs&nbsp;in&nbsp;AWS,&nbsp;which&nbsp;allow</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">users&nbsp;to&nbsp;request&nbsp;temporary&nbsp;security&nbsp;credentials.(Citation:&nbsp;A</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;users&nbsp;to&nbsp;request&nbsp;temporary&nbsp;security&nbsp;credentials<span class=\"diff_add\">&nbsp;(i.e.,&nbsp;[Tem</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">WS&nbsp;Temporary&nbsp;Security&nbsp;Credentials)&nbsp;&nbsp;Once&nbsp;forged,&nbsp;adversaries</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">porary&nbsp;Elevated&nbsp;Cloud&nbsp;Access](https://attack.mitre.org/techn</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;may&nbsp;use&nbsp;these&nbsp;web&nbsp;credentials&nbsp;to&nbsp;access&nbsp;resources&nbsp;(ex:&nbsp;[Use</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">iques/T1548/005)),&nbsp;or&nbsp;the&nbsp;`zmprov&nbsp;gdpak`&nbsp;command&nbsp;in&nbsp;Zimbra,&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Alternate&nbsp;Authentication&nbsp;Material](https://attack.mitre.org</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">which&nbsp;generates&nbsp;a&nbsp;pre-authentication&nbsp;key&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/techniques/T1550)),&nbsp;which&nbsp;may&nbsp;bypass&nbsp;multi-factor&nbsp;and&nbsp;other</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;generate&nbsp;tokens&nbsp;for&nbsp;any&nbsp;user&nbsp;in&nbsp;the&nbsp;domain</span>.(Citation:&nbsp;AWS&nbsp;T</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;authentication&nbsp;protection&nbsp;mechanisms.(Citation:&nbsp;Pass&nbsp;The&nbsp;Co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">emporary&nbsp;Security&nbsp;Credentials)<span class=\"diff_add\">(Citation:&nbsp;Zimbra&nbsp;Preauth)</span>&nbsp;&nbsp;On</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">okie)(Citation:&nbsp;Unit&nbsp;42&nbsp;Mac&nbsp;Crypto&nbsp;Cookies&nbsp;January&nbsp;2019)(Cit</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;forged,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;these&nbsp;web&nbsp;credentials&nbsp;to&nbsp;acce</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;Guidance)&nbsp;&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ss&nbsp;resources&nbsp;(ex:&nbsp;[Use&nbsp;Alternate&nbsp;Authentication&nbsp;Material](ht</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tps://attack.mitre.org/techniques/T1550)),&nbsp;which&nbsp;may&nbsp;bypass&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">multi-factor&nbsp;and&nbsp;other&nbsp;authentication&nbsp;protection&nbsp;mechanisms.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;Pass&nbsp;The&nbsp;Cookie)(Citation:&nbsp;Unit&nbsp;42&nbsp;Mac&nbsp;Crypto&nbsp;Coo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">kies&nbsp;January&nbsp;2019)(Citation:&nbsp;Microsoft&nbsp;SolarWinds&nbsp;Customer&nbsp;G</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uidance)&nbsp;&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -6138,7 +6138,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 03:29:57.078000+00:00\", \"old_value\": \"2023-03-30 21:01:39.426000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \\n\\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\\n\\nFor example, on Windows if an adversary places a malicious program named \\\"net.exe\\\" in `C:\\\\example path`, which by default precedes `C:\\\\Windows\\\\system32\\\\net.exe` in the PATH environment variable, when \\\"net\\\" is executed from the command-line the `C:\\\\example path` will be called instead of the system's legitimate executable at `C:\\\\Windows\\\\system32\\\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\\n\\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched.  An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)\", \"old_value\": \"Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\\n\\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, <code>%SystemRoot%\\\\system32</code> (e.g., <code>C:\\\\Windows\\\\system32</code>), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\\n\\nFor example, if <code>C:\\\\example path</code> precedes </code>C:\\\\Windows\\\\system32</code> is in the PATH environment variable, a program that is named net.exe and placed in <code>C:\\\\example path</code> will be called instead of the Windows system \\\"net\\\" when \\\"net\\\" is executed from the command-line.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\\n+Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \\n \\n-The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, <code>%SystemRoot%\\\\system32</code> (e.g., <code>C:\\\\Windows\\\\system32</code>), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\\n+Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\\n \\n-For example, if <code>C:\\\\example path</code> precedes </code>C:\\\\Windows\\\\system32</code> is in the PATH environment variable, a program that is named net.exe and placed in <code>C:\\\\example path</code> will be called instead of the Windows system \\\"net\\\" when \\\"net\\\" is executed from the command-line.\\n+For example, on Windows if an adversary places a malicious program named \\\"net.exe\\\" in `C:\\\\example path`, which by default precedes `C:\\\\Windows\\\\system32\\\\net.exe` in the PATH environment variable, when \\\"net\\\" is executed from the command-line the `C:\\\\example path` will be called instead of the system's legitimate executable at `C:\\\\Windows\\\\system32\\\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\\n+\\n+Adversaries may also directly modify the $PATH variable specifying the directories to be searched.  An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Elastic Rules macOS launchctl 2022\", \"description\": \"Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.\", \"url\": \"https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html\"}, \"root['external_references'][2]\": {\"source_name\": \"ExpressVPN PATH env Windows 2021\", \"description\": \"ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.\", \"url\": \"https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/\"}, \"root['external_references'][3]\": {\"source_name\": \"uptycs Fake POC linux malware 2023\", \"description\": \"Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.\", \"url\": \"https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware\"}, \"root['external_references'][4]\": {\"source_name\": \"nixCraft macOS PATH variables\", \"description\": \"Vivek Gite. (2023, August 22). MacOS \\u2013 Set / Change $PATH Variable Command. Retrieved September 28, 2023.\", \"url\": \"https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/\"}, \"root['x_mitre_platforms'][1]\": \"macOS\", \"root['x_mitre_platforms'][2]\": \"Linux\"}}",
                     "previous_version": "1.0",
                     "version_change": "1.0 \u2192 1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to14__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to14__0\"><a href=\"#difflib_chg_to14__top\">t</a></td><td class=\"diff_header\" id=\"from14_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to14__top\">t</a></td><td class=\"diff_header\" id=\"to14_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cking&nbsp;environment&nbsp;variables&nbsp;used&nbsp;to&nbsp;load&nbsp;libraries.&nbsp;Adversar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cking&nbsp;environment&nbsp;variables&nbsp;used&nbsp;to&nbsp;load&nbsp;libraries.&nbsp;The&nbsp;PATH</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ies&nbsp;may&nbsp;place&nbsp;a&nbsp;program&nbsp;in&nbsp;an&nbsp;earlier&nbsp;entry&nbsp;in&nbsp;the&nbsp;list&nbsp;of&nbsp;d</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;environment&nbsp;variable&nbsp;contains&nbsp;a&nbsp;list&nbsp;of&nbsp;directories&nbsp;(User&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">irectories&nbsp;stored&nbsp;in&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable,&nbsp;which&nbsp;Wi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nd&nbsp;System)&nbsp;that&nbsp;the&nbsp;OS&nbsp;searches&nbsp;sequentially&nbsp;through&nbsp;in&nbsp;sear</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ndows&nbsp;will&nbsp;then&nbsp;execute&nbsp;when&nbsp;it&nbsp;searches&nbsp;sequentially&nbsp;throug</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ch&nbsp;of&nbsp;the&nbsp;binary&nbsp;that&nbsp;was&nbsp;called&nbsp;from&nbsp;a&nbsp;script&nbsp;or&nbsp;the&nbsp;comman</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">h&nbsp;that&nbsp;PATH&nbsp;listing&nbsp;in&nbsp;search&nbsp;of&nbsp;the&nbsp;binary&nbsp;that&nbsp;was&nbsp;called&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;line.&nbsp;&nbsp;&nbsp;Adversaries&nbsp;can&nbsp;place&nbsp;a&nbsp;malicious&nbsp;program&nbsp;in&nbsp;an&nbsp;ea</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">from&nbsp;a&nbsp;script&nbsp;or&nbsp;the&nbsp;command&nbsp;line.&nbsp;&nbsp;The&nbsp;PATH&nbsp;environment&nbsp;var</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rlier&nbsp;entry&nbsp;in&nbsp;the&nbsp;list&nbsp;of&nbsp;directories&nbsp;stored&nbsp;in&nbsp;the&nbsp;PATH&nbsp;en</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">iable&nbsp;contains&nbsp;a&nbsp;list&nbsp;of&nbsp;directories.&nbsp;Certain&nbsp;methods&nbsp;of&nbsp;exe</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">vironment&nbsp;variable,&nbsp;resulting&nbsp;in&nbsp;the&nbsp;operating&nbsp;system&nbsp;execut</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cuting&nbsp;a&nbsp;program&nbsp;(namely&nbsp;using&nbsp;cmd.exe&nbsp;or&nbsp;the&nbsp;command-line)&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ing&nbsp;the&nbsp;malicious&nbsp;binary&nbsp;rather&nbsp;than&nbsp;the&nbsp;legitimate&nbsp;binary&nbsp;w</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rely&nbsp;solely&nbsp;on&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable&nbsp;to&nbsp;determine&nbsp;th</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hen&nbsp;it&nbsp;searches&nbsp;sequentially&nbsp;through&nbsp;that&nbsp;PATH&nbsp;listing.&nbsp;&nbsp;For</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;locations&nbsp;that&nbsp;are&nbsp;searched&nbsp;for&nbsp;a&nbsp;program&nbsp;when&nbsp;the&nbsp;path&nbsp;fo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;example,&nbsp;on&nbsp;Windows&nbsp;if&nbsp;an&nbsp;adversary&nbsp;places&nbsp;a&nbsp;malicious&nbsp;prog</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">r&nbsp;the&nbsp;program&nbsp;is&nbsp;not&nbsp;given.&nbsp;If&nbsp;any&nbsp;directories&nbsp;are&nbsp;listed&nbsp;in</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ram&nbsp;named&nbsp;\"net.exe\"&nbsp;in&nbsp;`C:\\example&nbsp;path`,&nbsp;which&nbsp;by&nbsp;default&nbsp;p</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable&nbsp;before&nbsp;the&nbsp;Windows&nbsp;directory,</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">recedes&nbsp;`C:\\Windows\\system32\\net.exe`&nbsp;in&nbsp;the&nbsp;PATH&nbsp;environmen</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;&lt;code&gt;%SystemRoot%\\system32&lt;/code&gt;&nbsp;(e.g.,&nbsp;&lt;code&gt;C:\\Windows\\</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">t&nbsp;variable,&nbsp;when&nbsp;\"net\"&nbsp;is&nbsp;executed&nbsp;from&nbsp;the&nbsp;command-line&nbsp;the</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">system32&lt;/code&gt;),&nbsp;a&nbsp;program&nbsp;may&nbsp;be&nbsp;placed&nbsp;in&nbsp;the&nbsp;preceding&nbsp;d</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;`C:\\example&nbsp;path`&nbsp;will&nbsp;be&nbsp;called&nbsp;instead&nbsp;of&nbsp;the&nbsp;system's&nbsp;le</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">irectory&nbsp;that&nbsp;is&nbsp;named&nbsp;the&nbsp;same&nbsp;as&nbsp;a&nbsp;Windows&nbsp;program&nbsp;(such&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">gitimate&nbsp;executable&nbsp;at&nbsp;`C:\\Windows\\system32\\net.exe`.&nbsp;Some&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;cmd,&nbsp;PowerShell,&nbsp;or&nbsp;Python),&nbsp;which&nbsp;will&nbsp;be&nbsp;executed&nbsp;when&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ethods&nbsp;of&nbsp;executing&nbsp;a&nbsp;program&nbsp;rely&nbsp;on&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;v</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">hat&nbsp;command&nbsp;is&nbsp;executed&nbsp;from&nbsp;a&nbsp;script&nbsp;or&nbsp;command-line.&nbsp;&nbsp;For&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ariable&nbsp;to&nbsp;determine&nbsp;the&nbsp;locations&nbsp;that&nbsp;are&nbsp;searched&nbsp;when&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">example,&nbsp;if&nbsp;&lt;code&gt;C:\\example&nbsp;path&lt;/code&gt;&nbsp;precedes&nbsp;&lt;/code&gt;C:\\</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;path&nbsp;for&nbsp;the&nbsp;program&nbsp;is&nbsp;not&nbsp;given,&nbsp;such&nbsp;as&nbsp;executing&nbsp;progr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Windows\\system32&lt;/code&gt;&nbsp;is&nbsp;in&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable,</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ams&nbsp;from&nbsp;a&nbsp;[Command&nbsp;and&nbsp;Scripting&nbsp;Interpreter](https://attac</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;program&nbsp;that&nbsp;is&nbsp;named&nbsp;net.exe&nbsp;and&nbsp;placed&nbsp;in&nbsp;&lt;code&gt;C:\\exam</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">k.mitre.org/techniques/T1059).(Citation:&nbsp;ExpressVPN&nbsp;PATH&nbsp;env</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ple&nbsp;path&lt;/code&gt;&nbsp;will&nbsp;be&nbsp;called&nbsp;instead&nbsp;of&nbsp;the&nbsp;Windows&nbsp;system</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;Windows&nbsp;2021)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;directly&nbsp;modify&nbsp;the&nbsp;$PA</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;\"net\"&nbsp;when&nbsp;\"net\"&nbsp;is&nbsp;executed&nbsp;from&nbsp;the&nbsp;command-line.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">TH&nbsp;variable&nbsp;specifying&nbsp;the&nbsp;directories&nbsp;to&nbsp;be&nbsp;searched.&nbsp;&nbsp;An&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dversary&nbsp;can&nbsp;modify&nbsp;the&nbsp;`$PATH`&nbsp;variable&nbsp;to&nbsp;point&nbsp;to&nbsp;a&nbsp;direc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tory&nbsp;they&nbsp;have&nbsp;write&nbsp;access.&nbsp;When&nbsp;a&nbsp;program&nbsp;using&nbsp;the&nbsp;$PATH&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">variable&nbsp;is&nbsp;called,&nbsp;the&nbsp;OS&nbsp;searches&nbsp;the&nbsp;specified&nbsp;directory&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">and&nbsp;executes&nbsp;the&nbsp;malicious&nbsp;binary.&nbsp;On&nbsp;macOS,&nbsp;this&nbsp;can&nbsp;also&nbsp;b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;performed&nbsp;through&nbsp;modifying&nbsp;the&nbsp;$HOME&nbsp;variable.&nbsp;These&nbsp;vari</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ables&nbsp;can&nbsp;be&nbsp;modified&nbsp;using&nbsp;the&nbsp;command-line,&nbsp;launchctl,&nbsp;[Un</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ix&nbsp;Shell&nbsp;Configuration&nbsp;Modification](https://attack.mitre.or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g/techniques/T1546/004),&nbsp;or&nbsp;modifying&nbsp;the&nbsp;`/etc/paths.d`&nbsp;fol</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">der&nbsp;contents.(Citation:&nbsp;uptycs&nbsp;Fake&nbsp;POC&nbsp;linux&nbsp;malware&nbsp;2023)(</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Citation:&nbsp;nixCraft&nbsp;macOS&nbsp;PATH&nbsp;variables)(Citation:&nbsp;Elastic&nbsp;R</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ules&nbsp;macOS&nbsp;launchctl&nbsp;2022)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to4__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to4__0\"><a href=\"#difflib_chg_to4__top\">t</a></td><td class=\"diff_header\" id=\"from4_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to4__top\">t</a></td><td class=\"diff_header\" id=\"to4_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cking&nbsp;environment&nbsp;variables&nbsp;used&nbsp;to&nbsp;load&nbsp;libraries.&nbsp;Adversar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cking&nbsp;environment&nbsp;variables&nbsp;used&nbsp;to&nbsp;load&nbsp;libraries.&nbsp;The&nbsp;PATH</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ies&nbsp;may&nbsp;place&nbsp;a&nbsp;program&nbsp;in&nbsp;an&nbsp;earlier&nbsp;entry&nbsp;in&nbsp;the&nbsp;list&nbsp;of&nbsp;d</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;environment&nbsp;variable&nbsp;contains&nbsp;a&nbsp;list&nbsp;of&nbsp;directories&nbsp;(User&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">irectories&nbsp;stored&nbsp;in&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable,&nbsp;which&nbsp;Wi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nd&nbsp;System)&nbsp;that&nbsp;the&nbsp;OS&nbsp;searches&nbsp;sequentially&nbsp;through&nbsp;in&nbsp;sear</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ndows&nbsp;will&nbsp;then&nbsp;execute&nbsp;when&nbsp;it&nbsp;searches&nbsp;sequentially&nbsp;throug</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ch&nbsp;of&nbsp;the&nbsp;binary&nbsp;that&nbsp;was&nbsp;called&nbsp;from&nbsp;a&nbsp;script&nbsp;or&nbsp;the&nbsp;comman</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">h&nbsp;that&nbsp;PATH&nbsp;listing&nbsp;in&nbsp;search&nbsp;of&nbsp;the&nbsp;binary&nbsp;that&nbsp;was&nbsp;called&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;line.&nbsp;&nbsp;&nbsp;Adversaries&nbsp;can&nbsp;place&nbsp;a&nbsp;malicious&nbsp;program&nbsp;in&nbsp;an&nbsp;ea</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">from&nbsp;a&nbsp;script&nbsp;or&nbsp;the&nbsp;command&nbsp;line.&nbsp;&nbsp;The&nbsp;PATH&nbsp;environment&nbsp;var</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rlier&nbsp;entry&nbsp;in&nbsp;the&nbsp;list&nbsp;of&nbsp;directories&nbsp;stored&nbsp;in&nbsp;the&nbsp;PATH&nbsp;en</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">iable&nbsp;contains&nbsp;a&nbsp;list&nbsp;of&nbsp;directories.&nbsp;Certain&nbsp;methods&nbsp;of&nbsp;exe</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">vironment&nbsp;variable,&nbsp;resulting&nbsp;in&nbsp;the&nbsp;operating&nbsp;system&nbsp;execut</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cuting&nbsp;a&nbsp;program&nbsp;(namely&nbsp;using&nbsp;cmd.exe&nbsp;or&nbsp;the&nbsp;command-line)&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ing&nbsp;the&nbsp;malicious&nbsp;binary&nbsp;rather&nbsp;than&nbsp;the&nbsp;legitimate&nbsp;binary&nbsp;w</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rely&nbsp;solely&nbsp;on&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable&nbsp;to&nbsp;determine&nbsp;th</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hen&nbsp;it&nbsp;searches&nbsp;sequentially&nbsp;through&nbsp;that&nbsp;PATH&nbsp;listing.&nbsp;&nbsp;For</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;locations&nbsp;that&nbsp;are&nbsp;searched&nbsp;for&nbsp;a&nbsp;program&nbsp;when&nbsp;the&nbsp;path&nbsp;fo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;example,&nbsp;on&nbsp;Windows&nbsp;if&nbsp;an&nbsp;adversary&nbsp;places&nbsp;a&nbsp;malicious&nbsp;prog</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">r&nbsp;the&nbsp;program&nbsp;is&nbsp;not&nbsp;given.&nbsp;If&nbsp;any&nbsp;directories&nbsp;are&nbsp;listed&nbsp;in</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ram&nbsp;named&nbsp;\"net.exe\"&nbsp;in&nbsp;`C:\\example&nbsp;path`,&nbsp;which&nbsp;by&nbsp;default&nbsp;p</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable&nbsp;before&nbsp;the&nbsp;Windows&nbsp;directory,</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">recedes&nbsp;`C:\\Windows\\system32\\net.exe`&nbsp;in&nbsp;the&nbsp;PATH&nbsp;environmen</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;&lt;code&gt;%SystemRoot%\\system32&lt;/code&gt;&nbsp;(e.g.,&nbsp;&lt;code&gt;C:\\Windows\\</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">t&nbsp;variable,&nbsp;when&nbsp;\"net\"&nbsp;is&nbsp;executed&nbsp;from&nbsp;the&nbsp;command-line&nbsp;the</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">system32&lt;/code&gt;),&nbsp;a&nbsp;program&nbsp;may&nbsp;be&nbsp;placed&nbsp;in&nbsp;the&nbsp;preceding&nbsp;d</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;`C:\\example&nbsp;path`&nbsp;will&nbsp;be&nbsp;called&nbsp;instead&nbsp;of&nbsp;the&nbsp;system's&nbsp;le</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">irectory&nbsp;that&nbsp;is&nbsp;named&nbsp;the&nbsp;same&nbsp;as&nbsp;a&nbsp;Windows&nbsp;program&nbsp;(such&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">gitimate&nbsp;executable&nbsp;at&nbsp;`C:\\Windows\\system32\\net.exe`.&nbsp;Some&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;cmd,&nbsp;PowerShell,&nbsp;or&nbsp;Python),&nbsp;which&nbsp;will&nbsp;be&nbsp;executed&nbsp;when&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ethods&nbsp;of&nbsp;executing&nbsp;a&nbsp;program&nbsp;rely&nbsp;on&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;v</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">hat&nbsp;command&nbsp;is&nbsp;executed&nbsp;from&nbsp;a&nbsp;script&nbsp;or&nbsp;command-line.&nbsp;&nbsp;For&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ariable&nbsp;to&nbsp;determine&nbsp;the&nbsp;locations&nbsp;that&nbsp;are&nbsp;searched&nbsp;when&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">example,&nbsp;if&nbsp;&lt;code&gt;C:\\example&nbsp;path&lt;/code&gt;&nbsp;precedes&nbsp;&lt;/code&gt;C:\\</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;path&nbsp;for&nbsp;the&nbsp;program&nbsp;is&nbsp;not&nbsp;given,&nbsp;such&nbsp;as&nbsp;executing&nbsp;progr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Windows\\system32&lt;/code&gt;&nbsp;is&nbsp;in&nbsp;the&nbsp;PATH&nbsp;environment&nbsp;variable,</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ams&nbsp;from&nbsp;a&nbsp;[Command&nbsp;and&nbsp;Scripting&nbsp;Interpreter](https://attac</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;program&nbsp;that&nbsp;is&nbsp;named&nbsp;net.exe&nbsp;and&nbsp;placed&nbsp;in&nbsp;&lt;code&gt;C:\\exam</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">k.mitre.org/techniques/T1059).(Citation:&nbsp;ExpressVPN&nbsp;PATH&nbsp;env</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ple&nbsp;path&lt;/code&gt;&nbsp;will&nbsp;be&nbsp;called&nbsp;instead&nbsp;of&nbsp;the&nbsp;Windows&nbsp;system</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;Windows&nbsp;2021)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;directly&nbsp;modify&nbsp;the&nbsp;$PA</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;\"net\"&nbsp;when&nbsp;\"net\"&nbsp;is&nbsp;executed&nbsp;from&nbsp;the&nbsp;command-line.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">TH&nbsp;variable&nbsp;specifying&nbsp;the&nbsp;directories&nbsp;to&nbsp;be&nbsp;searched.&nbsp;&nbsp;An&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dversary&nbsp;can&nbsp;modify&nbsp;the&nbsp;`$PATH`&nbsp;variable&nbsp;to&nbsp;point&nbsp;to&nbsp;a&nbsp;direc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tory&nbsp;they&nbsp;have&nbsp;write&nbsp;access.&nbsp;When&nbsp;a&nbsp;program&nbsp;using&nbsp;the&nbsp;$PATH&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">variable&nbsp;is&nbsp;called,&nbsp;the&nbsp;OS&nbsp;searches&nbsp;the&nbsp;specified&nbsp;directory&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">and&nbsp;executes&nbsp;the&nbsp;malicious&nbsp;binary.&nbsp;On&nbsp;macOS,&nbsp;this&nbsp;can&nbsp;also&nbsp;b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;performed&nbsp;through&nbsp;modifying&nbsp;the&nbsp;$HOME&nbsp;variable.&nbsp;These&nbsp;vari</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ables&nbsp;can&nbsp;be&nbsp;modified&nbsp;using&nbsp;the&nbsp;command-line,&nbsp;launchctl,&nbsp;[Un</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ix&nbsp;Shell&nbsp;Configuration&nbsp;Modification](https://attack.mitre.or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g/techniques/T1546/004),&nbsp;or&nbsp;modifying&nbsp;the&nbsp;`/etc/paths.d`&nbsp;fol</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">der&nbsp;contents.(Citation:&nbsp;uptycs&nbsp;Fake&nbsp;POC&nbsp;linux&nbsp;malware&nbsp;2023)(</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Citation:&nbsp;nixCraft&nbsp;macOS&nbsp;PATH&nbsp;variables)(Citation:&nbsp;Elastic&nbsp;R</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ules&nbsp;macOS&nbsp;launchctl&nbsp;2022)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1022: Restrict File and Directory Permissions",
@@ -6547,7 +6547,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-05-28 16:57:27.185000+00:00\", \"old_value\": \"2023-04-12 13:43:42.986000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\\n\\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \\n\\nAdversaries may also focus on specific applications such as Sysmon. For example, the \\u201cStart\\u201d and \\u201cEnable\\u201d values in <code>HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \\n\\nOn network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\\n\\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\\n\\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\\n\\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)\", \"old_value\": \"Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\\n\\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \\n\\nAdversaries may also focus on specific applications such as Sysmon. For example, the \\u201cStart\\u201d and \\u201cEnable\\u201d values in <code>HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \\n\\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\\n\\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\\n\\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)\", \"diff\": \"--- \\n+++ \\n@@ -4,6 +4,8 @@\\n \\n Adversaries may also focus on specific applications such as Sysmon. For example, the \\u201cStart\\u201d and \\u201cEnable\\u201d values in <code>HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \\n \\n+On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)\\n+\\n In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\\n \\n Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Analysis of FG-IR-22-369\", \"description\": \" Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.\", \"url\": \"https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis\"}, \"root['external_references'][2]\": {\"source_name\": \"Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation\", \"description\": \"ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem\"}, \"root['x_mitre_data_sources'][2]\": \"Process: Process Creation\", \"root['x_mitre_platforms'][5]\": \"Network\"}}",
                     "previous_version": "1.4",
                     "version_change": "1.4 \u2192 1.5",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to8__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to8__0\"><a href=\"#difflib_chg_to8__top\">t</a></td><td class=\"diff_header\" id=\"from8_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;modify&nbsp;and/or&nbsp;disable&nbsp;security&nbsp;tools&nbsp;to&nbsp;avoi</td><td class=\"diff_next\"><a href=\"#difflib_chg_to8__top\">t</a></td><td class=\"diff_header\" id=\"to8_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;modify&nbsp;and/or&nbsp;disable&nbsp;security&nbsp;tools&nbsp;to&nbsp;avoi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;possible&nbsp;detection&nbsp;of&nbsp;their&nbsp;malware/tools&nbsp;and&nbsp;activities.&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;possible&nbsp;detection&nbsp;of&nbsp;their&nbsp;malware/tools&nbsp;and&nbsp;activities.&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">This&nbsp;may&nbsp;take&nbsp;many&nbsp;forms,&nbsp;such&nbsp;as&nbsp;killing&nbsp;security&nbsp;software&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">This&nbsp;may&nbsp;take&nbsp;many&nbsp;forms,&nbsp;such&nbsp;as&nbsp;killing&nbsp;security&nbsp;software&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">processes&nbsp;or&nbsp;services,&nbsp;modifying&nbsp;/&nbsp;deleting&nbsp;Registry&nbsp;keys&nbsp;or</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">processes&nbsp;or&nbsp;services,&nbsp;modifying&nbsp;/&nbsp;deleting&nbsp;Registry&nbsp;keys&nbsp;or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;configuration&nbsp;files&nbsp;so&nbsp;that&nbsp;tools&nbsp;do&nbsp;not&nbsp;operate&nbsp;properly,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;configuration&nbsp;files&nbsp;so&nbsp;that&nbsp;tools&nbsp;do&nbsp;not&nbsp;operate&nbsp;properly,&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;other&nbsp;methods&nbsp;to&nbsp;interfere&nbsp;with&nbsp;security&nbsp;tools&nbsp;scanning&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;other&nbsp;methods&nbsp;to&nbsp;interfere&nbsp;with&nbsp;security&nbsp;tools&nbsp;scanning&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;reporting&nbsp;information.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;disable&nbsp;update</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;reporting&nbsp;information.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;disable&nbsp;update</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;to&nbsp;prevent&nbsp;the&nbsp;latest&nbsp;security&nbsp;patches&nbsp;from&nbsp;reaching&nbsp;tools</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;to&nbsp;prevent&nbsp;the&nbsp;latest&nbsp;security&nbsp;patches&nbsp;from&nbsp;reaching&nbsp;tools</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;on&nbsp;victim&nbsp;systems.(Citation:&nbsp;SCADAfence_ransomware)&nbsp;&nbsp;Advers</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;on&nbsp;victim&nbsp;systems.(Citation:&nbsp;SCADAfence_ransomware)&nbsp;&nbsp;Advers</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">aries&nbsp;may&nbsp;also&nbsp;tamper&nbsp;with&nbsp;artifacts&nbsp;deployed&nbsp;and&nbsp;utilized&nbsp;b</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">aries&nbsp;may&nbsp;also&nbsp;tamper&nbsp;with&nbsp;artifacts&nbsp;deployed&nbsp;and&nbsp;utilized&nbsp;b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;security&nbsp;tools.&nbsp;Security&nbsp;tools&nbsp;may&nbsp;make&nbsp;dynamic&nbsp;changes&nbsp;to</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;security&nbsp;tools.&nbsp;Security&nbsp;tools&nbsp;may&nbsp;make&nbsp;dynamic&nbsp;changes&nbsp;to</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;components&nbsp;in&nbsp;order&nbsp;to&nbsp;maintain&nbsp;visibility&nbsp;into&nbsp;spec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;components&nbsp;in&nbsp;order&nbsp;to&nbsp;maintain&nbsp;visibility&nbsp;into&nbsp;spec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ific&nbsp;events.&nbsp;For&nbsp;example,&nbsp;security&nbsp;products&nbsp;may&nbsp;load&nbsp;their&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ific&nbsp;events.&nbsp;For&nbsp;example,&nbsp;security&nbsp;products&nbsp;may&nbsp;load&nbsp;their&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">wn&nbsp;modules&nbsp;and/or&nbsp;modify&nbsp;those&nbsp;loaded&nbsp;by&nbsp;processes&nbsp;to&nbsp;facili</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">wn&nbsp;modules&nbsp;and/or&nbsp;modify&nbsp;those&nbsp;loaded&nbsp;by&nbsp;processes&nbsp;to&nbsp;facili</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tate&nbsp;data&nbsp;collection.&nbsp;Similar&nbsp;to&nbsp;[Indicator&nbsp;Blocking](https:</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tate&nbsp;data&nbsp;collection.&nbsp;Similar&nbsp;to&nbsp;[Indicator&nbsp;Blocking](https:</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">//attack.mitre.org/techniques/T1562/006),&nbsp;adversaries&nbsp;may&nbsp;un</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">//attack.mitre.org/techniques/T1562/006),&nbsp;adversaries&nbsp;may&nbsp;un</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hook&nbsp;or&nbsp;otherwise&nbsp;modify&nbsp;these&nbsp;features&nbsp;added&nbsp;by&nbsp;tools&nbsp;(espe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hook&nbsp;or&nbsp;otherwise&nbsp;modify&nbsp;these&nbsp;features&nbsp;added&nbsp;by&nbsp;tools&nbsp;(espe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cially&nbsp;those&nbsp;that&nbsp;exist&nbsp;in&nbsp;userland&nbsp;or&nbsp;are&nbsp;otherwise&nbsp;potenti</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cially&nbsp;those&nbsp;that&nbsp;exist&nbsp;in&nbsp;userland&nbsp;or&nbsp;are&nbsp;otherwise&nbsp;potenti</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;accessible&nbsp;to&nbsp;adversaries)&nbsp;to&nbsp;avoid&nbsp;detection.(Citation</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;accessible&nbsp;to&nbsp;adversaries)&nbsp;to&nbsp;avoid&nbsp;detection.(Citation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;OutFlank&nbsp;System&nbsp;Calls)(Citation:&nbsp;MDSec&nbsp;System&nbsp;Calls)&nbsp;&nbsp;&nbsp;Adv</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;OutFlank&nbsp;System&nbsp;Calls)(Citation:&nbsp;MDSec&nbsp;System&nbsp;Calls)&nbsp;&nbsp;&nbsp;Adv</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ersaries&nbsp;may&nbsp;also&nbsp;focus&nbsp;on&nbsp;specific&nbsp;applications&nbsp;such&nbsp;as&nbsp;Sys</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ersaries&nbsp;may&nbsp;also&nbsp;focus&nbsp;on&nbsp;specific&nbsp;applications&nbsp;such&nbsp;as&nbsp;Sys</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mon.&nbsp;For&nbsp;example,&nbsp;the&nbsp;\u201cStart\u201d&nbsp;and&nbsp;\u201cEnable\u201d&nbsp;values&nbsp;in&nbsp;&lt;code&gt;H</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mon.&nbsp;For&nbsp;example,&nbsp;the&nbsp;\u201cStart\u201d&nbsp;and&nbsp;\u201cEnable\u201d&nbsp;values&nbsp;in&nbsp;&lt;code&gt;H</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">KEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autol</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">KEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autol</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ogger\\EventLog-Microsoft-Windows-Sysmon-Operational&lt;/code&gt;&nbsp;m</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ogger\\EventLog-Microsoft-Windows-Sysmon-Operational&lt;/code&gt;&nbsp;m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ay&nbsp;be&nbsp;modified&nbsp;to&nbsp;tamper&nbsp;with&nbsp;and&nbsp;potentially&nbsp;disable&nbsp;Sysmon</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ay&nbsp;be&nbsp;modified&nbsp;to&nbsp;tamper&nbsp;with&nbsp;and&nbsp;potentially&nbsp;disable&nbsp;Sysmon</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;logging.(Citation:&nbsp;disable_win_evt_logging)&nbsp;&nbsp;&nbsp;I<span class=\"diff_chg\">n&nbsp;cloud</span>&nbsp;envi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;logging.(Citation:&nbsp;disable_win_evt_logging)&nbsp;&nbsp;&nbsp;<span class=\"diff_add\">On&nbsp;network&nbsp;de</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ronments,&nbsp;tools&nbsp;disabled&nbsp;by&nbsp;adversaries&nbsp;may&nbsp;include&nbsp;cloud&nbsp;mo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">vices,&nbsp;adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;skip&nbsp;digital&nbsp;signature&nbsp;ver</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nitoring&nbsp;agents&nbsp;that&nbsp;report&nbsp;back&nbsp;to&nbsp;services&nbsp;such&nbsp;as&nbsp;AWS&nbsp;Clo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ification&nbsp;checks&nbsp;by&nbsp;altering&nbsp;startup&nbsp;configuration&nbsp;files&nbsp;and</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">udWatch&nbsp;or&nbsp;Google&nbsp;Cloud&nbsp;Monitor.&nbsp;&nbsp;Furthermore,&nbsp;although&nbsp;defe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;effectively&nbsp;disabling&nbsp;firmware&nbsp;verification&nbsp;that&nbsp;typically&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nsive&nbsp;tools&nbsp;may&nbsp;have&nbsp;anti-tampering&nbsp;mechanisms,&nbsp;adversaries&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">occurs&nbsp;at&nbsp;boot.(Citation:&nbsp;Fortinet&nbsp;Zero-Day&nbsp;and&nbsp;Custom&nbsp;Malwa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;abuse&nbsp;tools&nbsp;such&nbsp;as&nbsp;legitimate&nbsp;rootkit&nbsp;removal&nbsp;kits&nbsp;to&nbsp;i</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">re&nbsp;Used&nbsp;by&nbsp;Suspected&nbsp;Chinese&nbsp;Actor&nbsp;in&nbsp;Espionage&nbsp;Operation)(C</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mpair&nbsp;and/or&nbsp;disable&nbsp;these&nbsp;tools.(Citation:&nbsp;chasing_avaddon_</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">itation:&nbsp;Analysis&nbsp;of&nbsp;FG-</span>I<span class=\"diff_chg\">R-22-369)&nbsp;&nbsp;In&nbsp;cloud</span>&nbsp;environments,&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ransomware)(Citation:&nbsp;dharma_ransomware)(Citation:&nbsp;demystify</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ools&nbsp;disabled&nbsp;by&nbsp;adversaries&nbsp;may&nbsp;include&nbsp;cloud&nbsp;monitoring&nbsp;ag</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing_ryuk)(Citation:&nbsp;doppelpaymer_crowdstrike)&nbsp;For&nbsp;example,&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ents&nbsp;that&nbsp;report&nbsp;back&nbsp;to&nbsp;services&nbsp;such&nbsp;as&nbsp;AWS&nbsp;CloudWatch&nbsp;or&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">dversaries&nbsp;have&nbsp;used&nbsp;tools&nbsp;such&nbsp;as&nbsp;GMER&nbsp;to&nbsp;find&nbsp;and&nbsp;shut&nbsp;dow</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Google&nbsp;Cloud&nbsp;Monitor.&nbsp;&nbsp;Furthermore,&nbsp;although&nbsp;defensive&nbsp;tools</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;hidden&nbsp;processes&nbsp;and&nbsp;antivirus&nbsp;software&nbsp;on&nbsp;infected&nbsp;system</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;may&nbsp;have&nbsp;anti-tampering&nbsp;mechanisms,&nbsp;adversaries&nbsp;may&nbsp;abuse&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.(Citation:&nbsp;demystifying_ryuk)&nbsp;&nbsp;Additionally,&nbsp;adversaries&nbsp;m</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ools&nbsp;such&nbsp;as&nbsp;legitimate&nbsp;rootkit&nbsp;removal&nbsp;kits&nbsp;to&nbsp;impair&nbsp;and/o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ay&nbsp;exploit&nbsp;legitimate&nbsp;drivers&nbsp;from&nbsp;anti-virus&nbsp;software&nbsp;to&nbsp;ga</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;disable&nbsp;these&nbsp;tools.(Citation:&nbsp;chasing_avaddon_ransomware)</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in&nbsp;access&nbsp;to&nbsp;kernel&nbsp;space&nbsp;(i.e.&nbsp;[Exploitation&nbsp;for&nbsp;Privilege&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;dharma_ransomware)(Citation:&nbsp;demystifying_ryuk)(C</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Escalation](https://attack.mitre.org/techniques/T1068)),&nbsp;whi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;doppelpaymer_crowdstrike)&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ch&nbsp;may&nbsp;lead&nbsp;to&nbsp;bypassing&nbsp;anti-tampering&nbsp;features.(Citation:&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">have&nbsp;used&nbsp;tools&nbsp;such&nbsp;as&nbsp;GMER&nbsp;to&nbsp;find&nbsp;and&nbsp;shut&nbsp;down&nbsp;hidden&nbsp;pr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">avoslocker_ransomware)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ocesses&nbsp;and&nbsp;antivirus&nbsp;software&nbsp;on&nbsp;infected&nbsp;systems.(Citation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;demystifying_ryuk)&nbsp;&nbsp;Additionally,&nbsp;adversaries&nbsp;may&nbsp;exploit&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">legitimate&nbsp;drivers&nbsp;from&nbsp;anti-virus&nbsp;software&nbsp;to&nbsp;gain&nbsp;access&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;kernel&nbsp;space&nbsp;(i.e.&nbsp;[Exploitation&nbsp;for&nbsp;Privilege&nbsp;Escalation]</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(https://attack.mitre.org/techniques/T1068)),&nbsp;which&nbsp;may&nbsp;lead</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;bypassing&nbsp;anti-tampering&nbsp;features.(Citation:&nbsp;avoslocker_</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ransomware)</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to26__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to26__0\"><a href=\"#difflib_chg_to26__top\">t</a></td><td class=\"diff_header\" id=\"from26_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;modify&nbsp;and/or&nbsp;disable&nbsp;security&nbsp;tools&nbsp;to&nbsp;avoi</td><td class=\"diff_next\"><a href=\"#difflib_chg_to26__top\">t</a></td><td class=\"diff_header\" id=\"to26_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;modify&nbsp;and/or&nbsp;disable&nbsp;security&nbsp;tools&nbsp;to&nbsp;avoi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;possible&nbsp;detection&nbsp;of&nbsp;their&nbsp;malware/tools&nbsp;and&nbsp;activities.&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;possible&nbsp;detection&nbsp;of&nbsp;their&nbsp;malware/tools&nbsp;and&nbsp;activities.&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">This&nbsp;may&nbsp;take&nbsp;many&nbsp;forms,&nbsp;such&nbsp;as&nbsp;killing&nbsp;security&nbsp;software&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">This&nbsp;may&nbsp;take&nbsp;many&nbsp;forms,&nbsp;such&nbsp;as&nbsp;killing&nbsp;security&nbsp;software&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">processes&nbsp;or&nbsp;services,&nbsp;modifying&nbsp;/&nbsp;deleting&nbsp;Registry&nbsp;keys&nbsp;or</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">processes&nbsp;or&nbsp;services,&nbsp;modifying&nbsp;/&nbsp;deleting&nbsp;Registry&nbsp;keys&nbsp;or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;configuration&nbsp;files&nbsp;so&nbsp;that&nbsp;tools&nbsp;do&nbsp;not&nbsp;operate&nbsp;properly,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;configuration&nbsp;files&nbsp;so&nbsp;that&nbsp;tools&nbsp;do&nbsp;not&nbsp;operate&nbsp;properly,&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;other&nbsp;methods&nbsp;to&nbsp;interfere&nbsp;with&nbsp;security&nbsp;tools&nbsp;scanning&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;other&nbsp;methods&nbsp;to&nbsp;interfere&nbsp;with&nbsp;security&nbsp;tools&nbsp;scanning&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;reporting&nbsp;information.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;disable&nbsp;update</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;reporting&nbsp;information.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;disable&nbsp;update</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;to&nbsp;prevent&nbsp;the&nbsp;latest&nbsp;security&nbsp;patches&nbsp;from&nbsp;reaching&nbsp;tools</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;to&nbsp;prevent&nbsp;the&nbsp;latest&nbsp;security&nbsp;patches&nbsp;from&nbsp;reaching&nbsp;tools</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;on&nbsp;victim&nbsp;systems.(Citation:&nbsp;SCADAfence_ransomware)&nbsp;&nbsp;Advers</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;on&nbsp;victim&nbsp;systems.(Citation:&nbsp;SCADAfence_ransomware)&nbsp;&nbsp;Advers</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">aries&nbsp;may&nbsp;also&nbsp;tamper&nbsp;with&nbsp;artifacts&nbsp;deployed&nbsp;and&nbsp;utilized&nbsp;b</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">aries&nbsp;may&nbsp;also&nbsp;tamper&nbsp;with&nbsp;artifacts&nbsp;deployed&nbsp;and&nbsp;utilized&nbsp;b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;security&nbsp;tools.&nbsp;Security&nbsp;tools&nbsp;may&nbsp;make&nbsp;dynamic&nbsp;changes&nbsp;to</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;security&nbsp;tools.&nbsp;Security&nbsp;tools&nbsp;may&nbsp;make&nbsp;dynamic&nbsp;changes&nbsp;to</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;components&nbsp;in&nbsp;order&nbsp;to&nbsp;maintain&nbsp;visibility&nbsp;into&nbsp;spec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;components&nbsp;in&nbsp;order&nbsp;to&nbsp;maintain&nbsp;visibility&nbsp;into&nbsp;spec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ific&nbsp;events.&nbsp;For&nbsp;example,&nbsp;security&nbsp;products&nbsp;may&nbsp;load&nbsp;their&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ific&nbsp;events.&nbsp;For&nbsp;example,&nbsp;security&nbsp;products&nbsp;may&nbsp;load&nbsp;their&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">wn&nbsp;modules&nbsp;and/or&nbsp;modify&nbsp;those&nbsp;loaded&nbsp;by&nbsp;processes&nbsp;to&nbsp;facili</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">wn&nbsp;modules&nbsp;and/or&nbsp;modify&nbsp;those&nbsp;loaded&nbsp;by&nbsp;processes&nbsp;to&nbsp;facili</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tate&nbsp;data&nbsp;collection.&nbsp;Similar&nbsp;to&nbsp;[Indicator&nbsp;Blocking](https:</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tate&nbsp;data&nbsp;collection.&nbsp;Similar&nbsp;to&nbsp;[Indicator&nbsp;Blocking](https:</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">//attack.mitre.org/techniques/T1562/006),&nbsp;adversaries&nbsp;may&nbsp;un</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">//attack.mitre.org/techniques/T1562/006),&nbsp;adversaries&nbsp;may&nbsp;un</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hook&nbsp;or&nbsp;otherwise&nbsp;modify&nbsp;these&nbsp;features&nbsp;added&nbsp;by&nbsp;tools&nbsp;(espe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hook&nbsp;or&nbsp;otherwise&nbsp;modify&nbsp;these&nbsp;features&nbsp;added&nbsp;by&nbsp;tools&nbsp;(espe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cially&nbsp;those&nbsp;that&nbsp;exist&nbsp;in&nbsp;userland&nbsp;or&nbsp;are&nbsp;otherwise&nbsp;potenti</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cially&nbsp;those&nbsp;that&nbsp;exist&nbsp;in&nbsp;userland&nbsp;or&nbsp;are&nbsp;otherwise&nbsp;potenti</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;accessible&nbsp;to&nbsp;adversaries)&nbsp;to&nbsp;avoid&nbsp;detection.(Citation</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;accessible&nbsp;to&nbsp;adversaries)&nbsp;to&nbsp;avoid&nbsp;detection.(Citation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;OutFlank&nbsp;System&nbsp;Calls)(Citation:&nbsp;MDSec&nbsp;System&nbsp;Calls)&nbsp;&nbsp;&nbsp;Adv</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;OutFlank&nbsp;System&nbsp;Calls)(Citation:&nbsp;MDSec&nbsp;System&nbsp;Calls)&nbsp;&nbsp;&nbsp;Adv</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ersaries&nbsp;may&nbsp;also&nbsp;focus&nbsp;on&nbsp;specific&nbsp;applications&nbsp;such&nbsp;as&nbsp;Sys</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ersaries&nbsp;may&nbsp;also&nbsp;focus&nbsp;on&nbsp;specific&nbsp;applications&nbsp;such&nbsp;as&nbsp;Sys</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mon.&nbsp;For&nbsp;example,&nbsp;the&nbsp;\u201cStart\u201d&nbsp;and&nbsp;\u201cEnable\u201d&nbsp;values&nbsp;in&nbsp;&lt;code&gt;H</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mon.&nbsp;For&nbsp;example,&nbsp;the&nbsp;\u201cStart\u201d&nbsp;and&nbsp;\u201cEnable\u201d&nbsp;values&nbsp;in&nbsp;&lt;code&gt;H</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">KEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autol</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">KEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autol</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ogger\\EventLog-Microsoft-Windows-Sysmon-Operational&lt;/code&gt;&nbsp;m</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ogger\\EventLog-Microsoft-Windows-Sysmon-Operational&lt;/code&gt;&nbsp;m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ay&nbsp;be&nbsp;modified&nbsp;to&nbsp;tamper&nbsp;with&nbsp;and&nbsp;potentially&nbsp;disable&nbsp;Sysmon</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ay&nbsp;be&nbsp;modified&nbsp;to&nbsp;tamper&nbsp;with&nbsp;and&nbsp;potentially&nbsp;disable&nbsp;Sysmon</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;logging.(Citation:&nbsp;disable_win_evt_logging)&nbsp;&nbsp;&nbsp;I<span class=\"diff_chg\">n&nbsp;cloud</span>&nbsp;envi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;logging.(Citation:&nbsp;disable_win_evt_logging)&nbsp;&nbsp;&nbsp;<span class=\"diff_add\">On&nbsp;network&nbsp;de</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ronments,&nbsp;tools&nbsp;disabled&nbsp;by&nbsp;adversaries&nbsp;may&nbsp;include&nbsp;cloud&nbsp;mo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">vices,&nbsp;adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;skip&nbsp;digital&nbsp;signature&nbsp;ver</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nitoring&nbsp;agents&nbsp;that&nbsp;report&nbsp;back&nbsp;to&nbsp;services&nbsp;such&nbsp;as&nbsp;AWS&nbsp;Clo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ification&nbsp;checks&nbsp;by&nbsp;altering&nbsp;startup&nbsp;configuration&nbsp;files&nbsp;and</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">udWatch&nbsp;or&nbsp;Google&nbsp;Cloud&nbsp;Monitor.&nbsp;&nbsp;Furthermore,&nbsp;although&nbsp;defe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;effectively&nbsp;disabling&nbsp;firmware&nbsp;verification&nbsp;that&nbsp;typically&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nsive&nbsp;tools&nbsp;may&nbsp;have&nbsp;anti-tampering&nbsp;mechanisms,&nbsp;adversaries&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">occurs&nbsp;at&nbsp;boot.(Citation:&nbsp;Fortinet&nbsp;Zero-Day&nbsp;and&nbsp;Custom&nbsp;Malwa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;abuse&nbsp;tools&nbsp;such&nbsp;as&nbsp;legitimate&nbsp;rootkit&nbsp;removal&nbsp;kits&nbsp;to&nbsp;i</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">re&nbsp;Used&nbsp;by&nbsp;Suspected&nbsp;Chinese&nbsp;Actor&nbsp;in&nbsp;Espionage&nbsp;Operation)(C</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mpair&nbsp;and/or&nbsp;disable&nbsp;these&nbsp;tools.(Citation:&nbsp;chasing_avaddon_</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">itation:&nbsp;Analysis&nbsp;of&nbsp;FG-</span>I<span class=\"diff_chg\">R-22-369)&nbsp;&nbsp;In&nbsp;cloud</span>&nbsp;environments,&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ransomware)(Citation:&nbsp;dharma_ransomware)(Citation:&nbsp;demystify</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ools&nbsp;disabled&nbsp;by&nbsp;adversaries&nbsp;may&nbsp;include&nbsp;cloud&nbsp;monitoring&nbsp;ag</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing_ryuk)(Citation:&nbsp;doppelpaymer_crowdstrike)&nbsp;For&nbsp;example,&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ents&nbsp;that&nbsp;report&nbsp;back&nbsp;to&nbsp;services&nbsp;such&nbsp;as&nbsp;AWS&nbsp;CloudWatch&nbsp;or&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">dversaries&nbsp;have&nbsp;used&nbsp;tools&nbsp;such&nbsp;as&nbsp;GMER&nbsp;to&nbsp;find&nbsp;and&nbsp;shut&nbsp;dow</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Google&nbsp;Cloud&nbsp;Monitor.&nbsp;&nbsp;Furthermore,&nbsp;although&nbsp;defensive&nbsp;tools</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;hidden&nbsp;processes&nbsp;and&nbsp;antivirus&nbsp;software&nbsp;on&nbsp;infected&nbsp;system</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;may&nbsp;have&nbsp;anti-tampering&nbsp;mechanisms,&nbsp;adversaries&nbsp;may&nbsp;abuse&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.(Citation:&nbsp;demystifying_ryuk)&nbsp;&nbsp;Additionally,&nbsp;adversaries&nbsp;m</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ools&nbsp;such&nbsp;as&nbsp;legitimate&nbsp;rootkit&nbsp;removal&nbsp;kits&nbsp;to&nbsp;impair&nbsp;and/o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ay&nbsp;exploit&nbsp;legitimate&nbsp;drivers&nbsp;from&nbsp;anti-virus&nbsp;software&nbsp;to&nbsp;ga</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;disable&nbsp;these&nbsp;tools.(Citation:&nbsp;chasing_avaddon_ransomware)</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in&nbsp;access&nbsp;to&nbsp;kernel&nbsp;space&nbsp;(i.e.&nbsp;[Exploitation&nbsp;for&nbsp;Privilege&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;dharma_ransomware)(Citation:&nbsp;demystifying_ryuk)(C</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Escalation](https://attack.mitre.org/techniques/T1068)),&nbsp;whi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;doppelpaymer_crowdstrike)&nbsp;For&nbsp;example,&nbsp;adversaries&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ch&nbsp;may&nbsp;lead&nbsp;to&nbsp;bypassing&nbsp;anti-tampering&nbsp;features.(Citation:&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">have&nbsp;used&nbsp;tools&nbsp;such&nbsp;as&nbsp;GMER&nbsp;to&nbsp;find&nbsp;and&nbsp;shut&nbsp;down&nbsp;hidden&nbsp;pr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">avoslocker_ransomware)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ocesses&nbsp;and&nbsp;antivirus&nbsp;software&nbsp;on&nbsp;infected&nbsp;systems.(Citation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">:&nbsp;demystifying_ryuk)&nbsp;&nbsp;Additionally,&nbsp;adversaries&nbsp;may&nbsp;exploit&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">legitimate&nbsp;drivers&nbsp;from&nbsp;anti-virus&nbsp;software&nbsp;to&nbsp;gain&nbsp;access&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;kernel&nbsp;space&nbsp;(i.e.&nbsp;[Exploitation&nbsp;for&nbsp;Privilege&nbsp;Escalation]</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(https://attack.mitre.org/techniques/T1068)),&nbsp;which&nbsp;may&nbsp;lead</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;bypassing&nbsp;anti-tampering&nbsp;features.(Citation:&nbsp;avoslocker_</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ransomware)</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -6661,7 +6661,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 16:40:15.445000+00:00\", \"old_value\": \"2022-05-19 16:28:31.041000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system\\u2019s backward compatibility to force it into less secure modes of operation. \\n\\nAdversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\\n\\nAdversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)\", \"old_value\": \"Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\\n\\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\\n+Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system\\u2019s backward compatibility to force it into less secure modes of operation. \\n \\n-Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)\\n+Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)\\n+\\n+Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: <code>powershell \\u2013v 2</code>). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.\\n\\nMonitor for Windows event ID (EID) 400, specifically the <code>EngineVersion</code> field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)\\n\\nMonitor network data to detect cases where HTTP is used instead of HTTPS.\", \"old_value\": \"Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: <code>powershell \\u2013v 2</code>). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.\\n\\nMonitor for Windows event ID (EID) 400, specifically the <code>EngineVersion</code> field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: <code>powershell \\u2013v 2</code>). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.\\n \\n Monitor for Windows event ID (EID) 400, specifically the <code>EngineVersion</code> field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)\\n+\\n+Monitor network data to detect cases where HTTP is used instead of HTTPS.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Crowdstrike Downgrade\", \"description\": \"Bart Lenaerts-Bergman. (2023, March 14). WHAT ARE DOWNGRADE ATTACKS?. Retrieved May 24, 2023.\", \"url\": \"https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/\"}, \"root['external_references'][2]\": {\"source_name\": \"Targeted SSL Stripping Attacks Are Real\", \"description\": \"Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.\", \"url\": \"https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/\"}, \"root['x_mitre_contributors'][2]\": \"Arad Inbar, Fidelis Security\"}}",
                     "previous_version": "1.1",
                     "version_change": "1.1 \u2192 1.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to24__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to24__0\"><a href=\"#difflib_chg_to24__top\">t</a></td><td class=\"diff_header\" id=\"from24_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;downgrade&nbsp;or&nbsp;use&nbsp;a&nbsp;version&nbsp;of&nbsp;system&nbsp;feature</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to24__top\">t</a></td><td class=\"diff_header\" id=\"to24_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;downgrade&nbsp;or&nbsp;use&nbsp;a&nbsp;version&nbsp;of&nbsp;system&nbsp;feature</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;that&nbsp;may&nbsp;be&nbsp;outdated,&nbsp;vulnerable,&nbsp;and/or&nbsp;does&nbsp;not&nbsp;support&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;that&nbsp;may&nbsp;be&nbsp;outdated,&nbsp;vulnerable,&nbsp;and/or&nbsp;does&nbsp;not&nbsp;support&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">updated&nbsp;security&nbsp;controls&nbsp;such&nbsp;as&nbsp;logging.&nbsp;For&nbsp;example,&nbsp;[Pow</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">updated&nbsp;security&nbsp;controls.&nbsp;Downgrade&nbsp;attacks&nbsp;typically&nbsp;take&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">erShell](https://attack.mitre.org/techniques/T1059/001)&nbsp;vers</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">advantage&nbsp;of&nbsp;a&nbsp;system\u2019s&nbsp;backward&nbsp;compatibility&nbsp;to&nbsp;force&nbsp;it&nbsp;i</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ions&nbsp;5+&nbsp;includes&nbsp;Script&nbsp;Block&nbsp;Logging&nbsp;(SBL)&nbsp;which&nbsp;can&nbsp;record</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nto&nbsp;less&nbsp;secure&nbsp;modes&nbsp;of&nbsp;operation.&nbsp;&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;downgr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;executed&nbsp;script&nbsp;content.&nbsp;However,&nbsp;adversaries&nbsp;may&nbsp;attempt&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ade&nbsp;and&nbsp;use&nbsp;various&nbsp;less-secure&nbsp;versions&nbsp;of&nbsp;features&nbsp;of&nbsp;a&nbsp;sy</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;execute&nbsp;a&nbsp;previous&nbsp;version&nbsp;of&nbsp;PowerShell&nbsp;that&nbsp;does&nbsp;not&nbsp;sup</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">stem,&nbsp;such&nbsp;as&nbsp;[Command&nbsp;and&nbsp;Scripting&nbsp;Interpreter](https://at</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">port&nbsp;SBL&nbsp;with&nbsp;the&nbsp;intent&nbsp;to&nbsp;[Impair&nbsp;Defenses](https://attack</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tack.mitre.org/techniques/T1059)s&nbsp;or&nbsp;even&nbsp;network&nbsp;protocols&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.mitre.org/techniques/T1562)&nbsp;while&nbsp;running&nbsp;malicious&nbsp;scripts</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">that&nbsp;can&nbsp;be&nbsp;abused&nbsp;to&nbsp;enable&nbsp;[Adversary-in-the-Middle](https</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;that&nbsp;may&nbsp;have&nbsp;otherwise&nbsp;been&nbsp;detected.(Citation:&nbsp;CrowdStrik</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">://attack.mitre.org/techniques/T1557)&nbsp;or&nbsp;[Network&nbsp;Sniffing](</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;BGH&nbsp;Ransomware&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;BYOL&nbsp;2018)(Citatio</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">https://attack.mitre.org/techniques/T1040).(Citation:&nbsp;Praeto</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n:&nbsp;att_def_ps_logging)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;downgrade&nbsp;and&nbsp;use&nbsp;le</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rian&nbsp;TLS&nbsp;Downgrade&nbsp;Attack&nbsp;2014)&nbsp;For&nbsp;example,&nbsp;[PowerShell](ht</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ss-secure&nbsp;versions&nbsp;of&nbsp;various&nbsp;features&nbsp;of&nbsp;a&nbsp;system,&nbsp;such&nbsp;as&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tps://attack.mitre.org/techniques/T1059/001)&nbsp;versions&nbsp;5+&nbsp;inc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[Command&nbsp;and&nbsp;Scripting&nbsp;Interpreter](https://attack.mitre.org</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ludes&nbsp;Script&nbsp;Block&nbsp;Logging&nbsp;(SBL)&nbsp;which&nbsp;can&nbsp;record&nbsp;executed&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">/techniques/T1059)s&nbsp;or&nbsp;even&nbsp;network&nbsp;protocols&nbsp;that&nbsp;can&nbsp;be&nbsp;ab</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cript&nbsp;content.&nbsp;However,&nbsp;adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;execute&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">used&nbsp;to&nbsp;enable&nbsp;[Adversary-in-the-Middle](https://attack.mitr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;previous&nbsp;version&nbsp;of&nbsp;PowerShell&nbsp;that&nbsp;does&nbsp;not&nbsp;support&nbsp;SBL&nbsp;wi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e.org/techniques/T1557).(Citation:&nbsp;Praetorian&nbsp;TLS&nbsp;Downgrade&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">th&nbsp;the&nbsp;intent&nbsp;to&nbsp;[Impair&nbsp;Defenses](https://attack.mitre.org/</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Attack&nbsp;2014)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">techniques/T1562)&nbsp;while&nbsp;running&nbsp;malicious&nbsp;scripts&nbsp;that&nbsp;may&nbsp;h</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ave&nbsp;otherwise&nbsp;been&nbsp;detected.(Citation:&nbsp;CrowdStrike&nbsp;BGH&nbsp;Ranso</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mware&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;BYOL&nbsp;2018)(Citation:&nbsp;att_def_</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps_logging)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;similarly&nbsp;target&nbsp;network&nbsp;traffi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">c&nbsp;to&nbsp;downgrade&nbsp;from&nbsp;an&nbsp;encrypted&nbsp;HTTPS&nbsp;connection&nbsp;to&nbsp;an&nbsp;unse</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cured&nbsp;HTTP&nbsp;connection&nbsp;that&nbsp;exposes&nbsp;network&nbsp;data&nbsp;in&nbsp;clear&nbsp;tex</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">t.(Citation:&nbsp;Targeted&nbsp;SSL&nbsp;Stripping&nbsp;Attacks&nbsp;Are&nbsp;Real)(Citati</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">on:&nbsp;Crowdstrike&nbsp;Downgrade)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to10__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to10__0\"><a href=\"#difflib_chg_to10__top\">t</a></td><td class=\"diff_header\" id=\"from10_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;downgrade&nbsp;or&nbsp;use&nbsp;a&nbsp;version&nbsp;of&nbsp;system&nbsp;feature</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to10__top\">t</a></td><td class=\"diff_header\" id=\"to10_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;downgrade&nbsp;or&nbsp;use&nbsp;a&nbsp;version&nbsp;of&nbsp;system&nbsp;feature</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;that&nbsp;may&nbsp;be&nbsp;outdated,&nbsp;vulnerable,&nbsp;and/or&nbsp;does&nbsp;not&nbsp;support&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;that&nbsp;may&nbsp;be&nbsp;outdated,&nbsp;vulnerable,&nbsp;and/or&nbsp;does&nbsp;not&nbsp;support&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">updated&nbsp;security&nbsp;controls&nbsp;such&nbsp;as&nbsp;logging.&nbsp;For&nbsp;example,&nbsp;[Pow</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">updated&nbsp;security&nbsp;controls.&nbsp;Downgrade&nbsp;attacks&nbsp;typically&nbsp;take&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">erShell](https://attack.mitre.org/techniques/T1059/001)&nbsp;vers</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">advantage&nbsp;of&nbsp;a&nbsp;system\u2019s&nbsp;backward&nbsp;compatibility&nbsp;to&nbsp;force&nbsp;it&nbsp;i</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ions&nbsp;5+&nbsp;includes&nbsp;Script&nbsp;Block&nbsp;Logging&nbsp;(SBL)&nbsp;which&nbsp;can&nbsp;record</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nto&nbsp;less&nbsp;secure&nbsp;modes&nbsp;of&nbsp;operation.&nbsp;&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;downgr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;executed&nbsp;script&nbsp;content.&nbsp;However,&nbsp;adversaries&nbsp;may&nbsp;attempt&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ade&nbsp;and&nbsp;use&nbsp;various&nbsp;less-secure&nbsp;versions&nbsp;of&nbsp;features&nbsp;of&nbsp;a&nbsp;sy</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;execute&nbsp;a&nbsp;previous&nbsp;version&nbsp;of&nbsp;PowerShell&nbsp;that&nbsp;does&nbsp;not&nbsp;sup</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">stem,&nbsp;such&nbsp;as&nbsp;[Command&nbsp;and&nbsp;Scripting&nbsp;Interpreter](https://at</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">port&nbsp;SBL&nbsp;with&nbsp;the&nbsp;intent&nbsp;to&nbsp;[Impair&nbsp;Defenses](https://attack</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tack.mitre.org/techniques/T1059)s&nbsp;or&nbsp;even&nbsp;network&nbsp;protocols&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.mitre.org/techniques/T1562)&nbsp;while&nbsp;running&nbsp;malicious&nbsp;scripts</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">that&nbsp;can&nbsp;be&nbsp;abused&nbsp;to&nbsp;enable&nbsp;[Adversary-in-the-Middle](https</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;that&nbsp;may&nbsp;have&nbsp;otherwise&nbsp;been&nbsp;detected.(Citation:&nbsp;CrowdStrik</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">://attack.mitre.org/techniques/T1557)&nbsp;or&nbsp;[Network&nbsp;Sniffing](</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;BGH&nbsp;Ransomware&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;BYOL&nbsp;2018)(Citatio</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">https://attack.mitre.org/techniques/T1040).(Citation:&nbsp;Praeto</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n:&nbsp;att_def_ps_logging)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;downgrade&nbsp;and&nbsp;use&nbsp;le</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rian&nbsp;TLS&nbsp;Downgrade&nbsp;Attack&nbsp;2014)&nbsp;For&nbsp;example,&nbsp;[PowerShell](ht</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ss-secure&nbsp;versions&nbsp;of&nbsp;various&nbsp;features&nbsp;of&nbsp;a&nbsp;system,&nbsp;such&nbsp;as&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tps://attack.mitre.org/techniques/T1059/001)&nbsp;versions&nbsp;5+&nbsp;inc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[Command&nbsp;and&nbsp;Scripting&nbsp;Interpreter](https://attack.mitre.org</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ludes&nbsp;Script&nbsp;Block&nbsp;Logging&nbsp;(SBL)&nbsp;which&nbsp;can&nbsp;record&nbsp;executed&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">/techniques/T1059)s&nbsp;or&nbsp;even&nbsp;network&nbsp;protocols&nbsp;that&nbsp;can&nbsp;be&nbsp;ab</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cript&nbsp;content.&nbsp;However,&nbsp;adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;execute&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">used&nbsp;to&nbsp;enable&nbsp;[Adversary-in-the-Middle](https://attack.mitr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;previous&nbsp;version&nbsp;of&nbsp;PowerShell&nbsp;that&nbsp;does&nbsp;not&nbsp;support&nbsp;SBL&nbsp;wi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e.org/techniques/T1557).(Citation:&nbsp;Praetorian&nbsp;TLS&nbsp;Downgrade&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">th&nbsp;the&nbsp;intent&nbsp;to&nbsp;[Impair&nbsp;Defenses](https://attack.mitre.org/</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Attack&nbsp;2014)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">techniques/T1562)&nbsp;while&nbsp;running&nbsp;malicious&nbsp;scripts&nbsp;that&nbsp;may&nbsp;h</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ave&nbsp;otherwise&nbsp;been&nbsp;detected.(Citation:&nbsp;CrowdStrike&nbsp;BGH&nbsp;Ranso</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mware&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;BYOL&nbsp;2018)(Citation:&nbsp;att_def_</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps_logging)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;similarly&nbsp;target&nbsp;network&nbsp;traffi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">c&nbsp;to&nbsp;downgrade&nbsp;from&nbsp;an&nbsp;encrypted&nbsp;HTTPS&nbsp;connection&nbsp;to&nbsp;an&nbsp;unse</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cured&nbsp;HTTP&nbsp;connection&nbsp;that&nbsp;exposes&nbsp;network&nbsp;data&nbsp;in&nbsp;clear&nbsp;tex</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">t.(Citation:&nbsp;Targeted&nbsp;SSL&nbsp;Stripping&nbsp;Attacks&nbsp;Are&nbsp;Real)(Citati</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">on:&nbsp;Crowdstrike&nbsp;Downgrade)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1042: Disable or Remove Feature or Program"
@@ -6858,7 +6858,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 18:05:28.311000+00:00\", \"old_value\": \"2022-10-21 16:24:06.968000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n\\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers</code>\\n\\nWindows may also store information about recent RDP connections in files such as <code>C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp</code> and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\nServer Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\", \"old_value\": \"Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n\\nNetwork connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default</code>\\n* <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers</code>\\n\\nWindows may also store information about recent RDP connections in files such as <code>C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp</code> and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\nServer Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMalicious network connections may also require changes to network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n-Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n+Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\\n \\n-Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n+Network connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\\n \\n * <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Default</code>\\n * <code>HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers</code>\\n@@ -8,4 +8,4 @@\\n Windows may also store information about recent RDP connections in files such as <code>C:\\\\Users\\\\\\\\%username%\\\\Documents\\\\Default.rdp</code> and `C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\Microsoft\\\\Terminal\\n Server Client\\\\Cache\\\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n \\n-Malicious network connections may also require changes to network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\\n+Malicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
                     "previous_version": "1.0",
                     "version_change": "1.0 \u2192 1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to1__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to1__0\"><a href=\"#difflib_chg_to1__top\">t</a></td><td class=\"diff_header\" id=\"from1_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;clear&nbsp;or&nbsp;remove&nbsp;evidence&nbsp;of&nbsp;malicious&nbsp;networ</td><td class=\"diff_next\"><a href=\"#difflib_chg_to1__top\">t</a></td><td class=\"diff_header\" id=\"to1_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;clear&nbsp;or&nbsp;remove&nbsp;evidence&nbsp;of&nbsp;malicious&nbsp;networ</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k&nbsp;connections&nbsp;in&nbsp;order&nbsp;to&nbsp;clean&nbsp;up&nbsp;traces&nbsp;of&nbsp;their&nbsp;operation</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k&nbsp;connections&nbsp;in&nbsp;order&nbsp;to&nbsp;clean&nbsp;up&nbsp;traces&nbsp;of&nbsp;their&nbsp;operation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.&nbsp;Configuration&nbsp;settings&nbsp;as&nbsp;well&nbsp;as&nbsp;various&nbsp;artifacts&nbsp;that&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.&nbsp;Configuration&nbsp;settings&nbsp;as&nbsp;well&nbsp;as&nbsp;various&nbsp;artifacts&nbsp;that&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">highlight&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;created&nbsp;on&nbsp;a&nbsp;system&nbsp;<span class=\"diff_chg\">from</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">highlight&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;created&nbsp;on&nbsp;a&nbsp;system&nbsp;<span class=\"diff_chg\">and/</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\"></span>&nbsp;behaviors&nbsp;that&nbsp;require&nbsp;network&nbsp;connections,&nbsp;such&nbsp;as&nbsp;[Remote</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">or&nbsp;in&nbsp;application&nbsp;logs&nbsp;from</span>&nbsp;behaviors&nbsp;that&nbsp;require&nbsp;network&nbsp;c</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Services](https://attack.mitre.org/techniques/T1021)&nbsp;or&nbsp;[Ex</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">onnections,&nbsp;such&nbsp;as&nbsp;[Remote&nbsp;Services](https://attack.mitre.o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ternal&nbsp;Remote&nbsp;Services](https://attack.mitre.org/techniques/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rg/techniques/T1021)&nbsp;or&nbsp;[External&nbsp;Remote&nbsp;Services](https://a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">T1133).&nbsp;Defenders&nbsp;may&nbsp;use&nbsp;these&nbsp;artifacts&nbsp;to&nbsp;monitor&nbsp;or&nbsp;othe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/techniques/T1133).&nbsp;Defenders&nbsp;may&nbsp;use&nbsp;these&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rwise&nbsp;analyze&nbsp;network&nbsp;connections&nbsp;created&nbsp;by&nbsp;adversaries.&nbsp;&nbsp;N</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rtifacts&nbsp;to&nbsp;monitor&nbsp;or&nbsp;otherwise&nbsp;analyze&nbsp;network&nbsp;connections</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etwork&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;stored&nbsp;in&nbsp;various&nbsp;locations</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;created&nbsp;by&nbsp;adversaries.&nbsp;&nbsp;Network&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;on&nbsp;a&nbsp;system</span>.&nbsp;For&nbsp;example,&nbsp;RDP&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;sto</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stored&nbsp;in&nbsp;various&nbsp;locations.&nbsp;For&nbsp;example,&nbsp;RDP&nbsp;connection&nbsp;his</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">red&nbsp;in&nbsp;Windows&nbsp;Registry&nbsp;values&nbsp;under&nbsp;(Citation:&nbsp;Microsoft&nbsp;RD</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tory&nbsp;may&nbsp;be&nbsp;stored&nbsp;in&nbsp;Windows&nbsp;Registry&nbsp;values&nbsp;under&nbsp;(Citatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">P&nbsp;Removal):&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Te</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;Microsoft&nbsp;RDP&nbsp;Removal):&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Softwa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rminal&nbsp;Server&nbsp;Client\\Default&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USE</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re\\Microsoft\\Terminal&nbsp;Server&nbsp;Client\\Default&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;H</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">R\\Software\\Microsoft\\Terminal&nbsp;Server&nbsp;Client\\Servers&lt;/code&gt;&nbsp;&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">KEY_CURRENT_USER\\Software\\Microsoft\\Terminal&nbsp;Server&nbsp;Client\\S</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Windows&nbsp;may&nbsp;also&nbsp;store&nbsp;information&nbsp;about&nbsp;recent&nbsp;RDP&nbsp;connecti</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ervers&lt;/code&gt;&nbsp;&nbsp;Windows&nbsp;may&nbsp;also&nbsp;store&nbsp;information&nbsp;about&nbsp;rece</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ons&nbsp;in&nbsp;files&nbsp;such&nbsp;as&nbsp;&lt;code&gt;C:\\Users\\\\%username%\\Documents\\De</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt&nbsp;RDP&nbsp;connections&nbsp;in&nbsp;files&nbsp;such&nbsp;as&nbsp;&lt;code&gt;C:\\Users\\\\%usernam</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fault.rdp&lt;/code&gt;&nbsp;and&nbsp;`C:\\Users\\%username%\\AppData\\Local\\Micr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e%\\Documents\\Default.rdp&lt;/code&gt;&nbsp;and&nbsp;`C:\\Users\\%username%\\App</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">osoft\\Terminal&nbsp;Server&nbsp;Client\\Cache\\`.(Citation:&nbsp;Moran&nbsp;RDPiec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Data\\Local\\Microsoft\\Terminal&nbsp;Server&nbsp;Client\\Cache\\`.(Citatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es)&nbsp;Similarly,&nbsp;macOS&nbsp;and&nbsp;Linux&nbsp;hosts&nbsp;may&nbsp;store&nbsp;information&nbsp;h</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;Moran&nbsp;RDPieces)&nbsp;Similarly,&nbsp;macOS&nbsp;and&nbsp;Linux&nbsp;hosts&nbsp;may&nbsp;stor</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ighlighting&nbsp;connection&nbsp;history&nbsp;in&nbsp;system&nbsp;logs&nbsp;(such&nbsp;as&nbsp;those</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;information&nbsp;highlighting&nbsp;connection&nbsp;history&nbsp;in&nbsp;system&nbsp;logs</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;stored&nbsp;in&nbsp;`/Library/Logs`&nbsp;and/or&nbsp;`/var/log/`).(Citation:&nbsp;Ap</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;(such&nbsp;as&nbsp;those&nbsp;stored&nbsp;in&nbsp;`/Library/Logs`&nbsp;and/or&nbsp;`/var/log/`</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ple&nbsp;Culprit&nbsp;Access)(Citation:&nbsp;FreeDesktop&nbsp;Journal)(Citation:</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">).(Citation:&nbsp;Apple&nbsp;Culprit&nbsp;Access)(Citation:&nbsp;FreeDesktop&nbsp;Jou</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Apple&nbsp;Unified&nbsp;Log&nbsp;Analysis&nbsp;Remote&nbsp;Login&nbsp;and&nbsp;Screen&nbsp;Sharing)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rnal)(Citation:&nbsp;Apple&nbsp;Unified&nbsp;Log&nbsp;Analysis&nbsp;Remote&nbsp;Login&nbsp;and&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;Malicious&nbsp;network&nbsp;connections&nbsp;may&nbsp;also&nbsp;require&nbsp;changes&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Screen&nbsp;Sharing)&nbsp;&nbsp;Malicious&nbsp;network&nbsp;connections&nbsp;may&nbsp;also&nbsp;requ</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">network&nbsp;configuration&nbsp;settings,&nbsp;such&nbsp;as&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;S</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ire&nbsp;changes&nbsp;to<span class=\"diff_add\">&nbsp;third-party&nbsp;applications&nbsp;or</span>&nbsp;network&nbsp;configura</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ystem&nbsp;Firewall](https://attack.mitre.org/techniques/T1562/00</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;settings,&nbsp;such&nbsp;as&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;System&nbsp;Firewall](h</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">4)&nbsp;or&nbsp;tampering&nbsp;to&nbsp;enable&nbsp;[Proxy](https://attack.mitre.org/t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1562/004)&nbsp;or&nbsp;tampering&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">echniques/T1090).&nbsp;Adversaries&nbsp;may&nbsp;delete&nbsp;or&nbsp;modify&nbsp;this&nbsp;data</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;enable&nbsp;[Proxy](https://attack.mitre.org/techniques/T1090).</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;conceal&nbsp;indicators&nbsp;and/or&nbsp;impede&nbsp;defensive&nbsp;analysis.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Adversaries&nbsp;may&nbsp;delete&nbsp;or&nbsp;modify&nbsp;this&nbsp;data&nbsp;to&nbsp;conceal&nbsp;indic</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ators&nbsp;and/or&nbsp;impede&nbsp;defensive&nbsp;analysis.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to36__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to36__0\"><a href=\"#difflib_chg_to36__top\">t</a></td><td class=\"diff_header\" id=\"from36_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;clear&nbsp;or&nbsp;remove&nbsp;evidence&nbsp;of&nbsp;malicious&nbsp;networ</td><td class=\"diff_next\"><a href=\"#difflib_chg_to36__top\">t</a></td><td class=\"diff_header\" id=\"to36_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;clear&nbsp;or&nbsp;remove&nbsp;evidence&nbsp;of&nbsp;malicious&nbsp;networ</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k&nbsp;connections&nbsp;in&nbsp;order&nbsp;to&nbsp;clean&nbsp;up&nbsp;traces&nbsp;of&nbsp;their&nbsp;operation</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k&nbsp;connections&nbsp;in&nbsp;order&nbsp;to&nbsp;clean&nbsp;up&nbsp;traces&nbsp;of&nbsp;their&nbsp;operation</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.&nbsp;Configuration&nbsp;settings&nbsp;as&nbsp;well&nbsp;as&nbsp;various&nbsp;artifacts&nbsp;that&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.&nbsp;Configuration&nbsp;settings&nbsp;as&nbsp;well&nbsp;as&nbsp;various&nbsp;artifacts&nbsp;that&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">highlight&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;created&nbsp;on&nbsp;a&nbsp;system&nbsp;<span class=\"diff_chg\">from</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">highlight&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;created&nbsp;on&nbsp;a&nbsp;system&nbsp;<span class=\"diff_chg\">and/</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\"></span>&nbsp;behaviors&nbsp;that&nbsp;require&nbsp;network&nbsp;connections,&nbsp;such&nbsp;as&nbsp;[Remote</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">or&nbsp;in&nbsp;application&nbsp;logs&nbsp;from</span>&nbsp;behaviors&nbsp;that&nbsp;require&nbsp;network&nbsp;c</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Services](https://attack.mitre.org/techniques/T1021)&nbsp;or&nbsp;[Ex</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">onnections,&nbsp;such&nbsp;as&nbsp;[Remote&nbsp;Services](https://attack.mitre.o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ternal&nbsp;Remote&nbsp;Services](https://attack.mitre.org/techniques/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rg/techniques/T1021)&nbsp;or&nbsp;[External&nbsp;Remote&nbsp;Services](https://a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">T1133).&nbsp;Defenders&nbsp;may&nbsp;use&nbsp;these&nbsp;artifacts&nbsp;to&nbsp;monitor&nbsp;or&nbsp;othe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/techniques/T1133).&nbsp;Defenders&nbsp;may&nbsp;use&nbsp;these&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rwise&nbsp;analyze&nbsp;network&nbsp;connections&nbsp;created&nbsp;by&nbsp;adversaries.&nbsp;&nbsp;N</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rtifacts&nbsp;to&nbsp;monitor&nbsp;or&nbsp;otherwise&nbsp;analyze&nbsp;network&nbsp;connections</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etwork&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;stored&nbsp;in&nbsp;various&nbsp;locations</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;created&nbsp;by&nbsp;adversaries.&nbsp;&nbsp;Network&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;on&nbsp;a&nbsp;system</span>.&nbsp;For&nbsp;example,&nbsp;RDP&nbsp;connection&nbsp;history&nbsp;may&nbsp;be&nbsp;sto</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stored&nbsp;in&nbsp;various&nbsp;locations.&nbsp;For&nbsp;example,&nbsp;RDP&nbsp;connection&nbsp;his</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">red&nbsp;in&nbsp;Windows&nbsp;Registry&nbsp;values&nbsp;under&nbsp;(Citation:&nbsp;Microsoft&nbsp;RD</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tory&nbsp;may&nbsp;be&nbsp;stored&nbsp;in&nbsp;Windows&nbsp;Registry&nbsp;values&nbsp;under&nbsp;(Citatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">P&nbsp;Removal):&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Software\\Microsoft\\Te</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;Microsoft&nbsp;RDP&nbsp;Removal):&nbsp;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USER\\Softwa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rminal&nbsp;Server&nbsp;Client\\Default&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;HKEY_CURRENT_USE</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re\\Microsoft\\Terminal&nbsp;Server&nbsp;Client\\Default&lt;/code&gt;&nbsp;*&nbsp;&lt;code&gt;H</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">R\\Software\\Microsoft\\Terminal&nbsp;Server&nbsp;Client\\Servers&lt;/code&gt;&nbsp;&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">KEY_CURRENT_USER\\Software\\Microsoft\\Terminal&nbsp;Server&nbsp;Client\\S</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Windows&nbsp;may&nbsp;also&nbsp;store&nbsp;information&nbsp;about&nbsp;recent&nbsp;RDP&nbsp;connecti</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ervers&lt;/code&gt;&nbsp;&nbsp;Windows&nbsp;may&nbsp;also&nbsp;store&nbsp;information&nbsp;about&nbsp;rece</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ons&nbsp;in&nbsp;files&nbsp;such&nbsp;as&nbsp;&lt;code&gt;C:\\Users\\\\%username%\\Documents\\De</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt&nbsp;RDP&nbsp;connections&nbsp;in&nbsp;files&nbsp;such&nbsp;as&nbsp;&lt;code&gt;C:\\Users\\\\%usernam</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fault.rdp&lt;/code&gt;&nbsp;and&nbsp;`C:\\Users\\%username%\\AppData\\Local\\Micr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e%\\Documents\\Default.rdp&lt;/code&gt;&nbsp;and&nbsp;`C:\\Users\\%username%\\App</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">osoft\\Terminal&nbsp;Server&nbsp;Client\\Cache\\`.(Citation:&nbsp;Moran&nbsp;RDPiec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Data\\Local\\Microsoft\\Terminal&nbsp;Server&nbsp;Client\\Cache\\`.(Citatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es)&nbsp;Similarly,&nbsp;macOS&nbsp;and&nbsp;Linux&nbsp;hosts&nbsp;may&nbsp;store&nbsp;information&nbsp;h</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;Moran&nbsp;RDPieces)&nbsp;Similarly,&nbsp;macOS&nbsp;and&nbsp;Linux&nbsp;hosts&nbsp;may&nbsp;stor</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ighlighting&nbsp;connection&nbsp;history&nbsp;in&nbsp;system&nbsp;logs&nbsp;(such&nbsp;as&nbsp;those</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;information&nbsp;highlighting&nbsp;connection&nbsp;history&nbsp;in&nbsp;system&nbsp;logs</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;stored&nbsp;in&nbsp;`/Library/Logs`&nbsp;and/or&nbsp;`/var/log/`).(Citation:&nbsp;Ap</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;(such&nbsp;as&nbsp;those&nbsp;stored&nbsp;in&nbsp;`/Library/Logs`&nbsp;and/or&nbsp;`/var/log/`</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ple&nbsp;Culprit&nbsp;Access)(Citation:&nbsp;FreeDesktop&nbsp;Journal)(Citation:</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">).(Citation:&nbsp;Apple&nbsp;Culprit&nbsp;Access)(Citation:&nbsp;FreeDesktop&nbsp;Jou</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Apple&nbsp;Unified&nbsp;Log&nbsp;Analysis&nbsp;Remote&nbsp;Login&nbsp;and&nbsp;Screen&nbsp;Sharing)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rnal)(Citation:&nbsp;Apple&nbsp;Unified&nbsp;Log&nbsp;Analysis&nbsp;Remote&nbsp;Login&nbsp;and&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;Malicious&nbsp;network&nbsp;connections&nbsp;may&nbsp;also&nbsp;require&nbsp;changes&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Screen&nbsp;Sharing)&nbsp;&nbsp;Malicious&nbsp;network&nbsp;connections&nbsp;may&nbsp;also&nbsp;requ</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">network&nbsp;configuration&nbsp;settings,&nbsp;such&nbsp;as&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;S</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ire&nbsp;changes&nbsp;to<span class=\"diff_add\">&nbsp;third-party&nbsp;applications&nbsp;or</span>&nbsp;network&nbsp;configura</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ystem&nbsp;Firewall](https://attack.mitre.org/techniques/T1562/00</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;settings,&nbsp;such&nbsp;as&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;System&nbsp;Firewall](h</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">4)&nbsp;or&nbsp;tampering&nbsp;to&nbsp;enable&nbsp;[Proxy](https://attack.mitre.org/t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/techniques/T1562/004)&nbsp;or&nbsp;tampering&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">echniques/T1090).&nbsp;Adversaries&nbsp;may&nbsp;delete&nbsp;or&nbsp;modify&nbsp;this&nbsp;data</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;enable&nbsp;[Proxy](https://attack.mitre.org/techniques/T1090).</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;to&nbsp;conceal&nbsp;indicators&nbsp;and/or&nbsp;impede&nbsp;defensive&nbsp;analysis.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Adversaries&nbsp;may&nbsp;delete&nbsp;or&nbsp;modify&nbsp;this&nbsp;data&nbsp;to&nbsp;conceal&nbsp;indic</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ators&nbsp;and/or&nbsp;impede&nbsp;defensive&nbsp;analysis.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1024: Restrict Registry Permissions",
@@ -7053,7 +7053,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-03 21:27:20.702000+00:00\", \"old_value\": \"2023-04-14 19:27:57.370000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \\n\\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\\n\\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\\n\\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)\", \"old_value\": \"Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \\n\\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\\n\\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \\n \\n-Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\\n+On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\\n \\n-On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\\n+Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\\n+\\n+Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Dropbox Malware Sync\", \"description\": \"David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.\", \"url\": \"https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/\"}, \"root['x_mitre_contributors'][2]\": \"Shailesh Tiwary (Indian Army)\", \"root['x_mitre_contributors'][3]\": \"The DFIR Report\", \"root['x_mitre_contributors'][4]\": \"Alain Homewood\", \"root['x_mitre_data_sources'][3]\": \"Command: Command Execution\"}}",
                     "previous_version": "2.2",
                     "version_change": "2.2 \u2192 2.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to7__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to7__0\"><a href=\"#difflib_chg_to7__top\">t</a></td><td class=\"diff_header\" id=\"from7_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;from&nbsp;an&nbsp;extern</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to7__top\">t</a></td><td class=\"diff_header\" id=\"to7_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;from&nbsp;an&nbsp;extern</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">al&nbsp;system&nbsp;into&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Tools&nbsp;or&nbsp;files&nbsp;may</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">al&nbsp;system&nbsp;into&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Tools&nbsp;or&nbsp;files&nbsp;may</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;be&nbsp;copied&nbsp;from&nbsp;an&nbsp;external&nbsp;adversary-controlled&nbsp;system&nbsp;to&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;be&nbsp;copied&nbsp;from&nbsp;an&nbsp;external&nbsp;adversary-controlled&nbsp;system&nbsp;to&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">he&nbsp;victim&nbsp;network&nbsp;through&nbsp;the&nbsp;command&nbsp;and&nbsp;control&nbsp;channel&nbsp;or</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">he&nbsp;victim&nbsp;network&nbsp;through&nbsp;the&nbsp;command&nbsp;and&nbsp;control&nbsp;channel&nbsp;or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;through&nbsp;alternate&nbsp;protocols&nbsp;such&nbsp;as&nbsp;[ftp](https://attack.mi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;through&nbsp;alternate&nbsp;protocols&nbsp;such&nbsp;as&nbsp;[ftp](https://attack.mi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tre.org/software/S0095).&nbsp;Once&nbsp;present,&nbsp;adversaries&nbsp;may&nbsp;also&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tre.org/software/S0095).&nbsp;Once&nbsp;present,&nbsp;adversaries&nbsp;may&nbsp;also&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">transfer/spread&nbsp;tools&nbsp;between&nbsp;victim&nbsp;devices&nbsp;within&nbsp;a&nbsp;compro</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">transfer/spread&nbsp;tools&nbsp;between&nbsp;victim&nbsp;devices&nbsp;within&nbsp;a&nbsp;compro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">mised&nbsp;environment&nbsp;(i.e.&nbsp;[Lateral&nbsp;Tool&nbsp;Transfer](https://atta</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mised&nbsp;environment&nbsp;(i.e.&nbsp;[Lateral&nbsp;Tool&nbsp;Transfer](https://atta</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ck.mitre.org/techniques/T1570)).&nbsp;&nbsp;&nbsp;Files&nbsp;can&nbsp;also&nbsp;be&nbsp;transfe</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ck.mitre.org/techniques/T1570)).&nbsp;&nbsp;&nbsp;On&nbsp;Windows,&nbsp;adversaries&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rred&nbsp;using&nbsp;various&nbsp;[Web&nbsp;Service](https://attack.mitre.org/te</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ay&nbsp;use&nbsp;various&nbsp;utilities&nbsp;to&nbsp;download&nbsp;tools,&nbsp;such&nbsp;as&nbsp;`copy`,&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">chniques/T1102)s&nbsp;as&nbsp;well&nbsp;as&nbsp;native&nbsp;or&nbsp;otherwise&nbsp;present&nbsp;tool</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">`finger`,&nbsp;[certutil](https://attack.mitre.org/software/S0160</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;on&nbsp;the&nbsp;victim&nbsp;system.(Citation:&nbsp;PTSecurity&nbsp;Cobalt&nbsp;Dec&nbsp;2016</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">),&nbsp;and&nbsp;[PowerShell](https://attack.mitre.org/techniques/T105</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">)&nbsp;&nbsp;On&nbsp;Windows,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;various&nbsp;utilities&nbsp;to&nbsp;down</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">9/001)&nbsp;commands&nbsp;such&nbsp;as&nbsp;&lt;code&gt;IEX(New-Object&nbsp;Net.WebClient).</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">load&nbsp;tools,&nbsp;such&nbsp;as&nbsp;`copy`,&nbsp;`finger`,&nbsp;[certutil](https://att</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">downloadString()&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;Invoke-WebRequest&lt;/code&gt;.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ack.mitre.org/software/S0160),&nbsp;and&nbsp;[PowerShell](https://atta</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">On&nbsp;Linux&nbsp;and&nbsp;macOS&nbsp;systems,&nbsp;a&nbsp;variety&nbsp;of&nbsp;utilities&nbsp;also&nbsp;exis</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ck.mitre.org/techniques/T1059/001)&nbsp;commands&nbsp;such&nbsp;as&nbsp;&lt;code&gt;IE</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">t,&nbsp;such&nbsp;as&nbsp;`curl`,&nbsp;`scp`,&nbsp;`sftp`,&nbsp;`tftp`,&nbsp;`rsync`,&nbsp;`finger`,</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">X(New-Object&nbsp;Net.WebClient).downloadString()&lt;/code&gt;&nbsp;and&nbsp;&lt;cod</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;and&nbsp;`wget`.(Citation:&nbsp;t1105_lolbas)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&gt;Invoke-WebRequest&lt;/code&gt;.&nbsp;On&nbsp;Linux&nbsp;and&nbsp;macOS&nbsp;systems,&nbsp;a&nbsp;va</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">buse&nbsp;installers&nbsp;and&nbsp;package&nbsp;managers,&nbsp;such&nbsp;as&nbsp;`yum`&nbsp;or&nbsp;`wing</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">riety&nbsp;of&nbsp;utilities&nbsp;also&nbsp;exist,&nbsp;such&nbsp;as&nbsp;`curl`,&nbsp;`scp`,&nbsp;`sftp`</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">et`,&nbsp;to&nbsp;download&nbsp;tools&nbsp;to&nbsp;victim&nbsp;hosts.&nbsp;&nbsp;Files&nbsp;can&nbsp;also&nbsp;be&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;`tftp`,&nbsp;`rsync`,&nbsp;`finger`,&nbsp;and&nbsp;`wget`.(Citation:&nbsp;t1105_lol</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ransferred&nbsp;using&nbsp;various&nbsp;[Web&nbsp;Service](https://attack.mitre.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">bas)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">org/techniques/T1102)s&nbsp;as&nbsp;well&nbsp;as&nbsp;native&nbsp;or&nbsp;otherwise&nbsp;presen</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">t&nbsp;tools&nbsp;on&nbsp;the&nbsp;victim&nbsp;system.(Citation:&nbsp;PTSecurity&nbsp;Cobalt&nbsp;De</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">c&nbsp;2016)&nbsp;In&nbsp;some&nbsp;cases,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;leverage&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ervices&nbsp;that&nbsp;sync&nbsp;between&nbsp;a&nbsp;web-based&nbsp;and&nbsp;an&nbsp;on-premises&nbsp;cli</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ent,&nbsp;such&nbsp;as&nbsp;Dropbox&nbsp;or&nbsp;OneDrive,&nbsp;to&nbsp;transfer&nbsp;files&nbsp;onto&nbsp;vic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tim&nbsp;systems.&nbsp;For&nbsp;example,&nbsp;by&nbsp;compromising&nbsp;a&nbsp;cloud&nbsp;account&nbsp;an</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;logging&nbsp;into&nbsp;the&nbsp;service's&nbsp;web&nbsp;portal,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;be</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;able&nbsp;to&nbsp;trigger&nbsp;an&nbsp;automatic&nbsp;syncing&nbsp;process&nbsp;that&nbsp;transfers</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;the&nbsp;file&nbsp;onto&nbsp;the&nbsp;victim's&nbsp;machine.(Citation:&nbsp;Dropbox&nbsp;Malwa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">re&nbsp;Sync)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to1__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to1__0\"><a href=\"#difflib_chg_to1__top\">t</a></td><td class=\"diff_header\" id=\"from1_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;from&nbsp;an&nbsp;extern</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to1__top\">t</a></td><td class=\"diff_header\" id=\"to1_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;from&nbsp;an&nbsp;extern</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">al&nbsp;system&nbsp;into&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Tools&nbsp;or&nbsp;files&nbsp;may</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">al&nbsp;system&nbsp;into&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Tools&nbsp;or&nbsp;files&nbsp;may</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;be&nbsp;copied&nbsp;from&nbsp;an&nbsp;external&nbsp;adversary-controlled&nbsp;system&nbsp;to&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;be&nbsp;copied&nbsp;from&nbsp;an&nbsp;external&nbsp;adversary-controlled&nbsp;system&nbsp;to&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">he&nbsp;victim&nbsp;network&nbsp;through&nbsp;the&nbsp;command&nbsp;and&nbsp;control&nbsp;channel&nbsp;or</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">he&nbsp;victim&nbsp;network&nbsp;through&nbsp;the&nbsp;command&nbsp;and&nbsp;control&nbsp;channel&nbsp;or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;through&nbsp;alternate&nbsp;protocols&nbsp;such&nbsp;as&nbsp;[ftp](https://attack.mi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;through&nbsp;alternate&nbsp;protocols&nbsp;such&nbsp;as&nbsp;[ftp](https://attack.mi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tre.org/software/S0095).&nbsp;Once&nbsp;present,&nbsp;adversaries&nbsp;may&nbsp;also&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tre.org/software/S0095).&nbsp;Once&nbsp;present,&nbsp;adversaries&nbsp;may&nbsp;also&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">transfer/spread&nbsp;tools&nbsp;between&nbsp;victim&nbsp;devices&nbsp;within&nbsp;a&nbsp;compro</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">transfer/spread&nbsp;tools&nbsp;between&nbsp;victim&nbsp;devices&nbsp;within&nbsp;a&nbsp;compro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">mised&nbsp;environment&nbsp;(i.e.&nbsp;[Lateral&nbsp;Tool&nbsp;Transfer](https://atta</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mised&nbsp;environment&nbsp;(i.e.&nbsp;[Lateral&nbsp;Tool&nbsp;Transfer](https://atta</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ck.mitre.org/techniques/T1570)).&nbsp;&nbsp;&nbsp;Files&nbsp;can&nbsp;also&nbsp;be&nbsp;transfe</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ck.mitre.org/techniques/T1570)).&nbsp;&nbsp;&nbsp;On&nbsp;Windows,&nbsp;adversaries&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rred&nbsp;using&nbsp;various&nbsp;[Web&nbsp;Service](https://attack.mitre.org/te</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ay&nbsp;use&nbsp;various&nbsp;utilities&nbsp;to&nbsp;download&nbsp;tools,&nbsp;such&nbsp;as&nbsp;`copy`,&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">chniques/T1102)s&nbsp;as&nbsp;well&nbsp;as&nbsp;native&nbsp;or&nbsp;otherwise&nbsp;present&nbsp;tool</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">`finger`,&nbsp;[certutil](https://attack.mitre.org/software/S0160</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;on&nbsp;the&nbsp;victim&nbsp;system.(Citation:&nbsp;PTSecurity&nbsp;Cobalt&nbsp;Dec&nbsp;2016</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">),&nbsp;and&nbsp;[PowerShell](https://attack.mitre.org/techniques/T105</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">)&nbsp;&nbsp;On&nbsp;Windows,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;various&nbsp;utilities&nbsp;to&nbsp;down</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">9/001)&nbsp;commands&nbsp;such&nbsp;as&nbsp;&lt;code&gt;IEX(New-Object&nbsp;Net.WebClient).</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">load&nbsp;tools,&nbsp;such&nbsp;as&nbsp;`copy`,&nbsp;`finger`,&nbsp;[certutil](https://att</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">downloadString()&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;Invoke-WebRequest&lt;/code&gt;.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ack.mitre.org/software/S0160),&nbsp;and&nbsp;[PowerShell](https://atta</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">On&nbsp;Linux&nbsp;and&nbsp;macOS&nbsp;systems,&nbsp;a&nbsp;variety&nbsp;of&nbsp;utilities&nbsp;also&nbsp;exis</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ck.mitre.org/techniques/T1059/001)&nbsp;commands&nbsp;such&nbsp;as&nbsp;&lt;code&gt;IE</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">t,&nbsp;such&nbsp;as&nbsp;`curl`,&nbsp;`scp`,&nbsp;`sftp`,&nbsp;`tftp`,&nbsp;`rsync`,&nbsp;`finger`,</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">X(New-Object&nbsp;Net.WebClient).downloadString()&lt;/code&gt;&nbsp;and&nbsp;&lt;cod</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;and&nbsp;`wget`.(Citation:&nbsp;t1105_lolbas)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&gt;Invoke-WebRequest&lt;/code&gt;.&nbsp;On&nbsp;Linux&nbsp;and&nbsp;macOS&nbsp;systems,&nbsp;a&nbsp;va</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">buse&nbsp;installers&nbsp;and&nbsp;package&nbsp;managers,&nbsp;such&nbsp;as&nbsp;`yum`&nbsp;or&nbsp;`wing</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">riety&nbsp;of&nbsp;utilities&nbsp;also&nbsp;exist,&nbsp;such&nbsp;as&nbsp;`curl`,&nbsp;`scp`,&nbsp;`sftp`</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">et`,&nbsp;to&nbsp;download&nbsp;tools&nbsp;to&nbsp;victim&nbsp;hosts.&nbsp;&nbsp;Files&nbsp;can&nbsp;also&nbsp;be&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;`tftp`,&nbsp;`rsync`,&nbsp;`finger`,&nbsp;and&nbsp;`wget`.(Citation:&nbsp;t1105_lol</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ransferred&nbsp;using&nbsp;various&nbsp;[Web&nbsp;Service](https://attack.mitre.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">bas)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">org/techniques/T1102)s&nbsp;as&nbsp;well&nbsp;as&nbsp;native&nbsp;or&nbsp;otherwise&nbsp;presen</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">t&nbsp;tools&nbsp;on&nbsp;the&nbsp;victim&nbsp;system.(Citation:&nbsp;PTSecurity&nbsp;Cobalt&nbsp;De</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">c&nbsp;2016)&nbsp;In&nbsp;some&nbsp;cases,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;leverage&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ervices&nbsp;that&nbsp;sync&nbsp;between&nbsp;a&nbsp;web-based&nbsp;and&nbsp;an&nbsp;on-premises&nbsp;cli</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ent,&nbsp;such&nbsp;as&nbsp;Dropbox&nbsp;or&nbsp;OneDrive,&nbsp;to&nbsp;transfer&nbsp;files&nbsp;onto&nbsp;vic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tim&nbsp;systems.&nbsp;For&nbsp;example,&nbsp;by&nbsp;compromising&nbsp;a&nbsp;cloud&nbsp;account&nbsp;an</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;logging&nbsp;into&nbsp;the&nbsp;service's&nbsp;web&nbsp;portal,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;be</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;able&nbsp;to&nbsp;trigger&nbsp;an&nbsp;automatic&nbsp;syncing&nbsp;process&nbsp;that&nbsp;transfers</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;the&nbsp;file&nbsp;onto&nbsp;the&nbsp;victim's&nbsp;machine.(Citation:&nbsp;Dropbox&nbsp;Malwa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">re&nbsp;Sync)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1031: Network Intrusion Prevention"
@@ -7260,7 +7260,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"TruKno\"], \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"Administrator\", \"root\", \"SYSTEM\", \"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 14:01:12.167000+00:00\", \"old_value\": \"2023-03-30 21:01:37.930000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\\n\\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\\n\\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\\n* Reading raw keystroke data from the hardware buffer.\\n* Windows Registry modifications.\\n* Custom drivers.\\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) \", \"old_value\": \"Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\\n\\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\\n\\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\\n* Reading raw keystroke data from the hardware buffer.\\n* Windows Registry modifications.\\n* Custom drivers.\\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) \", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\\n+Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\\n \\n Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\\n \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Talos Kimsuky Nov 2021\", \"description\": \"An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.\", \"url\": \"https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html\"}}}",
                     "previous_version": "1.1",
                     "version_change": "1.1 \u2192 1.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to9__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to9__0\"><a href=\"#difflib_chg_to9__top\">t</a></td><td class=\"diff_header\" id=\"from9_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;log&nbsp;user&nbsp;keystrokes&nbsp;to&nbsp;intercept&nbsp;credentials</td><td class=\"diff_next\"><a href=\"#difflib_chg_to9__top\">t</a></td><td class=\"diff_header\" id=\"to9_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;log&nbsp;user&nbsp;keystrokes&nbsp;to&nbsp;intercept&nbsp;credentials</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;as&nbsp;the&nbsp;user&nbsp;types&nbsp;them.&nbsp;Keylogging&nbsp;is&nbsp;likely&nbsp;to&nbsp;be&nbsp;used&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;as&nbsp;the&nbsp;user&nbsp;types&nbsp;them.&nbsp;Keylogging&nbsp;is&nbsp;likely&nbsp;to&nbsp;be&nbsp;used&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">acquire&nbsp;credentials&nbsp;for&nbsp;new&nbsp;access&nbsp;opportunities&nbsp;when&nbsp;[OS&nbsp;Cr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">acquire&nbsp;credentials&nbsp;for&nbsp;new&nbsp;access&nbsp;opportunities&nbsp;when&nbsp;[OS&nbsp;Cr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">edential&nbsp;Dumping](https://attack.mitre.org/techniques/T1003)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">edential&nbsp;Dumping](https://attack.mitre.org/techniques/T1003)</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;efforts&nbsp;are&nbsp;not&nbsp;effective,&nbsp;and&nbsp;may&nbsp;require&nbsp;an&nbsp;adversary&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;efforts&nbsp;are&nbsp;not&nbsp;effective,&nbsp;and&nbsp;may&nbsp;require&nbsp;an&nbsp;adversary&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">intercept&nbsp;keystrokes&nbsp;on&nbsp;a&nbsp;system&nbsp;for&nbsp;a&nbsp;substantial&nbsp;period&nbsp;of</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">intercept&nbsp;keystrokes&nbsp;on&nbsp;a&nbsp;system&nbsp;for&nbsp;a&nbsp;substantial&nbsp;period&nbsp;of</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;time&nbsp;before&nbsp;credentials&nbsp;can&nbsp;be&nbsp;successfully&nbsp;captured.&nbsp;<span class=\"diff_chg\">&nbsp;Keyl</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;time&nbsp;before&nbsp;credentials&nbsp;can&nbsp;be&nbsp;successfully&nbsp;captured.&nbsp;<span class=\"diff_chg\">In&nbsp;or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ogging&nbsp;is&nbsp;the&nbsp;most&nbsp;pre</span>v<span class=\"diff_chg\">alent&nbsp;type&nbsp;of&nbsp;input&nbsp;capture,&nbsp;</span>w<span class=\"diff_chg\">ith&nbsp;man</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">der&nbsp;to&nbsp;increase&nbsp;the&nbsp;likelihood&nbsp;of&nbsp;capturing&nbsp;credentials&nbsp;quic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">y&nbsp;different&nbsp;ways&nbsp;of&nbsp;intercepting&nbsp;keystroke</span>s.(Citation:&nbsp;Adven</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">kly,&nbsp;an&nbsp;ad</span>v<span class=\"diff_chg\">ersary&nbsp;may&nbsp;also&nbsp;perform&nbsp;actions&nbsp;such&nbsp;as&nbsp;clearing&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tures&nbsp;of&nbsp;a&nbsp;Keystroke)&nbsp;Some&nbsp;methods&nbsp;include:&nbsp;&nbsp;*&nbsp;Hooking&nbsp;API&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">bro</span>w<span class=\"diff_chg\">ser&nbsp;cookies&nbsp;to&nbsp;force&nbsp;users&nbsp;to&nbsp;reauthenticate&nbsp;to&nbsp;system</span>s.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">allbacks&nbsp;used&nbsp;for&nbsp;processing&nbsp;keystrokes.&nbsp;Unlike&nbsp;[Credential&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;<span class=\"diff_add\">Talos&nbsp;Kimsuky&nbsp;Nov&nbsp;2021)&nbsp;&nbsp;Keylogging&nbsp;is&nbsp;the&nbsp;most&nbsp;p</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">API&nbsp;Hooking](https://attack.mitre.org/techniques/T1056/004),</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">revalent&nbsp;type&nbsp;of&nbsp;input&nbsp;capture,&nbsp;with&nbsp;many&nbsp;different&nbsp;ways&nbsp;of&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;this&nbsp;focuses&nbsp;solely&nbsp;on&nbsp;API&nbsp;functions&nbsp;intended&nbsp;for&nbsp;processin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">intercepting&nbsp;keystrokes.(Citation:&nbsp;</span>Adventures&nbsp;of&nbsp;a&nbsp;Keystroke</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;keystroke&nbsp;data.&nbsp;*&nbsp;Reading&nbsp;raw&nbsp;keystroke&nbsp;data&nbsp;from&nbsp;the&nbsp;hard</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;Some&nbsp;methods&nbsp;include:&nbsp;&nbsp;*&nbsp;Hooking&nbsp;API&nbsp;callbacks&nbsp;used&nbsp;for&nbsp;pr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ware&nbsp;buffer.&nbsp;*&nbsp;Windows&nbsp;Registry&nbsp;modifications.&nbsp;*&nbsp;Custom&nbsp;driv</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ocessing&nbsp;keystrokes.&nbsp;Unlike&nbsp;[Credential&nbsp;API&nbsp;Hooking](https:/</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ers.&nbsp;*&nbsp;[Modify&nbsp;System&nbsp;Image](https://attack.mitre.org/techni</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/attack.mitre.org/techniques/T1056/004),&nbsp;this&nbsp;focuses&nbsp;solely</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ques/T1601)&nbsp;may&nbsp;provide&nbsp;adversaries&nbsp;with&nbsp;hooks&nbsp;into&nbsp;the&nbsp;oper</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;on&nbsp;API&nbsp;functions&nbsp;intended&nbsp;for&nbsp;processing&nbsp;keystroke&nbsp;data.&nbsp;*&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ating&nbsp;system&nbsp;of&nbsp;network&nbsp;devices&nbsp;to&nbsp;read&nbsp;raw&nbsp;keystrokes&nbsp;for&nbsp;l</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Reading&nbsp;raw&nbsp;keystroke&nbsp;data&nbsp;from&nbsp;the&nbsp;hardware&nbsp;buffer.&nbsp;*&nbsp;Windo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ogin&nbsp;sessions.(Citation:&nbsp;Cisco&nbsp;Blog&nbsp;Legacy&nbsp;Device&nbsp;Attacks)&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ws&nbsp;Registry&nbsp;modifications.&nbsp;*&nbsp;Custom&nbsp;drivers.&nbsp;*&nbsp;[Modify&nbsp;Syste</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">m&nbsp;Image](https://attack.mitre.org/techniques/T1601)&nbsp;may&nbsp;prov</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ide&nbsp;adversaries&nbsp;with&nbsp;hooks&nbsp;into&nbsp;the&nbsp;operating&nbsp;system&nbsp;of&nbsp;netw</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ork&nbsp;devices&nbsp;to&nbsp;read&nbsp;raw&nbsp;keystrokes&nbsp;for&nbsp;login&nbsp;sessions.(Citat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;Cisco&nbsp;Blog&nbsp;Legacy&nbsp;Device&nbsp;Attacks)&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to27__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to27__0\"><a href=\"#difflib_chg_to27__top\">t</a></td><td class=\"diff_header\" id=\"from27_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;log&nbsp;user&nbsp;keystrokes&nbsp;to&nbsp;intercept&nbsp;credentials</td><td class=\"diff_next\"><a href=\"#difflib_chg_to27__top\">t</a></td><td class=\"diff_header\" id=\"to27_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;log&nbsp;user&nbsp;keystrokes&nbsp;to&nbsp;intercept&nbsp;credentials</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;as&nbsp;the&nbsp;user&nbsp;types&nbsp;them.&nbsp;Keylogging&nbsp;is&nbsp;likely&nbsp;to&nbsp;be&nbsp;used&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;as&nbsp;the&nbsp;user&nbsp;types&nbsp;them.&nbsp;Keylogging&nbsp;is&nbsp;likely&nbsp;to&nbsp;be&nbsp;used&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">acquire&nbsp;credentials&nbsp;for&nbsp;new&nbsp;access&nbsp;opportunities&nbsp;when&nbsp;[OS&nbsp;Cr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">acquire&nbsp;credentials&nbsp;for&nbsp;new&nbsp;access&nbsp;opportunities&nbsp;when&nbsp;[OS&nbsp;Cr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">edential&nbsp;Dumping](https://attack.mitre.org/techniques/T1003)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">edential&nbsp;Dumping](https://attack.mitre.org/techniques/T1003)</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;efforts&nbsp;are&nbsp;not&nbsp;effective,&nbsp;and&nbsp;may&nbsp;require&nbsp;an&nbsp;adversary&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;efforts&nbsp;are&nbsp;not&nbsp;effective,&nbsp;and&nbsp;may&nbsp;require&nbsp;an&nbsp;adversary&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">intercept&nbsp;keystrokes&nbsp;on&nbsp;a&nbsp;system&nbsp;for&nbsp;a&nbsp;substantial&nbsp;period&nbsp;of</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">intercept&nbsp;keystrokes&nbsp;on&nbsp;a&nbsp;system&nbsp;for&nbsp;a&nbsp;substantial&nbsp;period&nbsp;of</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;time&nbsp;before&nbsp;credentials&nbsp;can&nbsp;be&nbsp;successfully&nbsp;captured.&nbsp;<span class=\"diff_chg\">&nbsp;Keyl</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;time&nbsp;before&nbsp;credentials&nbsp;can&nbsp;be&nbsp;successfully&nbsp;captured.&nbsp;<span class=\"diff_chg\">In&nbsp;or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ogging&nbsp;is&nbsp;the&nbsp;most&nbsp;pre</span>v<span class=\"diff_chg\">alent&nbsp;type&nbsp;of&nbsp;input&nbsp;capture,&nbsp;</span>w<span class=\"diff_chg\">ith&nbsp;man</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">der&nbsp;to&nbsp;increase&nbsp;the&nbsp;likelihood&nbsp;of&nbsp;capturing&nbsp;credentials&nbsp;quic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">y&nbsp;different&nbsp;ways&nbsp;of&nbsp;intercepting&nbsp;keystroke</span>s.(Citation:&nbsp;Adven</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">kly,&nbsp;an&nbsp;ad</span>v<span class=\"diff_chg\">ersary&nbsp;may&nbsp;also&nbsp;perform&nbsp;actions&nbsp;such&nbsp;as&nbsp;clearing&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tures&nbsp;of&nbsp;a&nbsp;Keystroke)&nbsp;Some&nbsp;methods&nbsp;include:&nbsp;&nbsp;*&nbsp;Hooking&nbsp;API&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">bro</span>w<span class=\"diff_chg\">ser&nbsp;cookies&nbsp;to&nbsp;force&nbsp;users&nbsp;to&nbsp;reauthenticate&nbsp;to&nbsp;system</span>s.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">allbacks&nbsp;used&nbsp;for&nbsp;processing&nbsp;keystrokes.&nbsp;Unlike&nbsp;[Credential&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;<span class=\"diff_add\">Talos&nbsp;Kimsuky&nbsp;Nov&nbsp;2021)&nbsp;&nbsp;Keylogging&nbsp;is&nbsp;the&nbsp;most&nbsp;p</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">API&nbsp;Hooking](https://attack.mitre.org/techniques/T1056/004),</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">revalent&nbsp;type&nbsp;of&nbsp;input&nbsp;capture,&nbsp;with&nbsp;many&nbsp;different&nbsp;ways&nbsp;of&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;this&nbsp;focuses&nbsp;solely&nbsp;on&nbsp;API&nbsp;functions&nbsp;intended&nbsp;for&nbsp;processin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">intercepting&nbsp;keystrokes.(Citation:&nbsp;</span>Adventures&nbsp;of&nbsp;a&nbsp;Keystroke</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;keystroke&nbsp;data.&nbsp;*&nbsp;Reading&nbsp;raw&nbsp;keystroke&nbsp;data&nbsp;from&nbsp;the&nbsp;hard</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;Some&nbsp;methods&nbsp;include:&nbsp;&nbsp;*&nbsp;Hooking&nbsp;API&nbsp;callbacks&nbsp;used&nbsp;for&nbsp;pr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ware&nbsp;buffer.&nbsp;*&nbsp;Windows&nbsp;Registry&nbsp;modifications.&nbsp;*&nbsp;Custom&nbsp;driv</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ocessing&nbsp;keystrokes.&nbsp;Unlike&nbsp;[Credential&nbsp;API&nbsp;Hooking](https:/</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ers.&nbsp;*&nbsp;[Modify&nbsp;System&nbsp;Image](https://attack.mitre.org/techni</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/attack.mitre.org/techniques/T1056/004),&nbsp;this&nbsp;focuses&nbsp;solely</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ques/T1601)&nbsp;may&nbsp;provide&nbsp;adversaries&nbsp;with&nbsp;hooks&nbsp;into&nbsp;the&nbsp;oper</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;on&nbsp;API&nbsp;functions&nbsp;intended&nbsp;for&nbsp;processing&nbsp;keystroke&nbsp;data.&nbsp;*&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ating&nbsp;system&nbsp;of&nbsp;network&nbsp;devices&nbsp;to&nbsp;read&nbsp;raw&nbsp;keystrokes&nbsp;for&nbsp;l</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Reading&nbsp;raw&nbsp;keystroke&nbsp;data&nbsp;from&nbsp;the&nbsp;hardware&nbsp;buffer.&nbsp;*&nbsp;Windo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ogin&nbsp;sessions.(Citation:&nbsp;Cisco&nbsp;Blog&nbsp;Legacy&nbsp;Device&nbsp;Attacks)&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ws&nbsp;Registry&nbsp;modifications.&nbsp;*&nbsp;Custom&nbsp;drivers.&nbsp;*&nbsp;[Modify&nbsp;Syste</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">m&nbsp;Image](https://attack.mitre.org/techniques/T1601)&nbsp;may&nbsp;prov</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ide&nbsp;adversaries&nbsp;with&nbsp;hooks&nbsp;into&nbsp;the&nbsp;operating&nbsp;system&nbsp;of&nbsp;netw</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ork&nbsp;devices&nbsp;to&nbsp;read&nbsp;raw&nbsp;keystrokes&nbsp;for&nbsp;login&nbsp;sessions.(Citat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;Cisco&nbsp;Blog&nbsp;Legacy&nbsp;Device&nbsp;Attacks)&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [],
                         "new": [],
@@ -7462,7 +7462,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Shailesh Tiwary (Indian Army)\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-01 13:48:28.738000+00:00\", \"old_value\": \"2022-04-19 15:34:49.016000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\\n\\nAdversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\\n\\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)\", \"old_value\": \"Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\\n\\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\\n+Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\\n \\n-Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).\\n+Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\\n+\\n+Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Dropbox Malware Sync\", \"description\": \"David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.\", \"url\": \"https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/\"}}}",
                     "previous_version": "1.2",
                     "version_change": "1.2 \u2192 1.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to27__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to27__0\"><a href=\"#difflib_chg_to27__top\">t</a></td><td class=\"diff_header\" id=\"from27_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;between&nbsp;system</td><td class=\"diff_next\"><a href=\"#difflib_chg_to27__top\">t</a></td><td class=\"diff_header\" id=\"to27_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;between&nbsp;system</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;in&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Once&nbsp;brought&nbsp;into&nbsp;the&nbsp;victim</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;in&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Once&nbsp;brought&nbsp;into&nbsp;the&nbsp;victim</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;environment&nbsp;(i.e.&nbsp;[Ingress&nbsp;Tool&nbsp;Transfer](https://attack.mi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;environment&nbsp;(i.e.<span class=\"diff_add\">,</span>&nbsp;[Ingress&nbsp;Tool&nbsp;Transfer](https://attack.m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tre.org/techniques/T1105))&nbsp;files&nbsp;may&nbsp;then&nbsp;be&nbsp;copied&nbsp;from&nbsp;one</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itre.org/techniques/T1105))&nbsp;files&nbsp;may&nbsp;then&nbsp;be&nbsp;copied&nbsp;from&nbsp;on</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;to&nbsp;another&nbsp;to&nbsp;stage&nbsp;adversary&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;system&nbsp;to&nbsp;another&nbsp;to&nbsp;stage&nbsp;adversary&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ver&nbsp;the&nbsp;course&nbsp;of&nbsp;an&nbsp;operation.&nbsp;Adversaries&nbsp;may&nbsp;copy&nbsp;files&nbsp;b</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">over&nbsp;the&nbsp;course&nbsp;of&nbsp;an&nbsp;operation.<span class=\"diff_add\">&nbsp;</span>&nbsp;Adversaries&nbsp;may&nbsp;copy&nbsp;files</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etween&nbsp;internal&nbsp;victim&nbsp;systems&nbsp;to&nbsp;support&nbsp;lateral&nbsp;movement&nbsp;u</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;between&nbsp;internal&nbsp;victim&nbsp;systems&nbsp;to&nbsp;support&nbsp;lateral&nbsp;movement</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sing&nbsp;inherent&nbsp;file&nbsp;sharing&nbsp;protocols&nbsp;such&nbsp;as&nbsp;file&nbsp;sharing&nbsp;ov</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;using&nbsp;inherent&nbsp;file&nbsp;sharing&nbsp;protocols&nbsp;such&nbsp;as&nbsp;file&nbsp;sharing&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;[SMB/Windows&nbsp;Admin&nbsp;Shares](https://attack.mitre.org/techn</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">over&nbsp;[SMB/Windows&nbsp;Admin&nbsp;Shares](https://attack.mitre.org/tec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">iques/T1021/002)&nbsp;to&nbsp;connected&nbsp;network&nbsp;shares&nbsp;or&nbsp;with&nbsp;authent</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hniques/T1021/002)&nbsp;to&nbsp;connected&nbsp;network&nbsp;shares&nbsp;or&nbsp;with&nbsp;authe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">icated&nbsp;connections&nbsp;via&nbsp;[Remote&nbsp;Desktop&nbsp;Protocol](https://att</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nticated&nbsp;connections&nbsp;via&nbsp;[Remote&nbsp;Desktop&nbsp;Protocol](https://a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ack.mitre.org/techniques/T1021/001).(Citation:&nbsp;Unit42&nbsp;Locker</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/techniques/T1021/001).(Citation:&nbsp;Unit42&nbsp;Lock</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Goga&nbsp;2019)&nbsp;&nbsp;Files&nbsp;can&nbsp;also&nbsp;be&nbsp;transferred&nbsp;using&nbsp;native&nbsp;or&nbsp;ot</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">erGoga&nbsp;2019)&nbsp;&nbsp;Files&nbsp;can&nbsp;also&nbsp;be&nbsp;transferred&nbsp;using&nbsp;native&nbsp;or&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">herwise&nbsp;present&nbsp;tools&nbsp;on&nbsp;the&nbsp;victim&nbsp;system,&nbsp;such&nbsp;as&nbsp;scp,&nbsp;rsy</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">otherwise&nbsp;present&nbsp;tools&nbsp;on&nbsp;the&nbsp;victim&nbsp;system,&nbsp;such&nbsp;as&nbsp;scp,&nbsp;r</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nc,&nbsp;curl,&nbsp;sftp,&nbsp;and&nbsp;[ftp](https://attack.mitre.org/software/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sync,&nbsp;curl,&nbsp;sftp,&nbsp;and&nbsp;[ftp](https://attack.mitre.org/softwar</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">S0095).</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e/S0095).<span class=\"diff_add\">&nbsp;In&nbsp;some&nbsp;cases,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;leverage</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;[Web&nbsp;Service](https://attack.mitre.org/techniques/T1102)s&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">uch&nbsp;as&nbsp;Dropbox&nbsp;or&nbsp;OneDrive&nbsp;to&nbsp;copy&nbsp;files&nbsp;from&nbsp;one&nbsp;machine&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;another&nbsp;via&nbsp;shared,&nbsp;automatically&nbsp;synced&nbsp;folders.(Citation:</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;Dropbox&nbsp;Malware&nbsp;Sync)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to20__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to20__0\"><a href=\"#difflib_chg_to20__top\">t</a></td><td class=\"diff_header\" id=\"from20_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;between&nbsp;system</td><td class=\"diff_next\"><a href=\"#difflib_chg_to20__top\">t</a></td><td class=\"diff_header\" id=\"to20_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;transfer&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;between&nbsp;system</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;in&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Once&nbsp;brought&nbsp;into&nbsp;the&nbsp;victim</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;in&nbsp;a&nbsp;compromised&nbsp;environment.&nbsp;Once&nbsp;brought&nbsp;into&nbsp;the&nbsp;victim</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;environment&nbsp;(i.e.&nbsp;[Ingress&nbsp;Tool&nbsp;Transfer](https://attack.mi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;environment&nbsp;(i.e.<span class=\"diff_add\">,</span>&nbsp;[Ingress&nbsp;Tool&nbsp;Transfer](https://attack.m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tre.org/techniques/T1105))&nbsp;files&nbsp;may&nbsp;then&nbsp;be&nbsp;copied&nbsp;from&nbsp;one</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itre.org/techniques/T1105))&nbsp;files&nbsp;may&nbsp;then&nbsp;be&nbsp;copied&nbsp;from&nbsp;on</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;to&nbsp;another&nbsp;to&nbsp;stage&nbsp;adversary&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;system&nbsp;to&nbsp;another&nbsp;to&nbsp;stage&nbsp;adversary&nbsp;tools&nbsp;or&nbsp;other&nbsp;files&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ver&nbsp;the&nbsp;course&nbsp;of&nbsp;an&nbsp;operation.&nbsp;Adversaries&nbsp;may&nbsp;copy&nbsp;files&nbsp;b</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">over&nbsp;the&nbsp;course&nbsp;of&nbsp;an&nbsp;operation.<span class=\"diff_add\">&nbsp;</span>&nbsp;Adversaries&nbsp;may&nbsp;copy&nbsp;files</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etween&nbsp;internal&nbsp;victim&nbsp;systems&nbsp;to&nbsp;support&nbsp;lateral&nbsp;movement&nbsp;u</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;between&nbsp;internal&nbsp;victim&nbsp;systems&nbsp;to&nbsp;support&nbsp;lateral&nbsp;movement</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sing&nbsp;inherent&nbsp;file&nbsp;sharing&nbsp;protocols&nbsp;such&nbsp;as&nbsp;file&nbsp;sharing&nbsp;ov</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;using&nbsp;inherent&nbsp;file&nbsp;sharing&nbsp;protocols&nbsp;such&nbsp;as&nbsp;file&nbsp;sharing&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;[SMB/Windows&nbsp;Admin&nbsp;Shares](https://attack.mitre.org/techn</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">over&nbsp;[SMB/Windows&nbsp;Admin&nbsp;Shares](https://attack.mitre.org/tec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">iques/T1021/002)&nbsp;to&nbsp;connected&nbsp;network&nbsp;shares&nbsp;or&nbsp;with&nbsp;authent</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hniques/T1021/002)&nbsp;to&nbsp;connected&nbsp;network&nbsp;shares&nbsp;or&nbsp;with&nbsp;authe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">icated&nbsp;connections&nbsp;via&nbsp;[Remote&nbsp;Desktop&nbsp;Protocol](https://att</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nticated&nbsp;connections&nbsp;via&nbsp;[Remote&nbsp;Desktop&nbsp;Protocol](https://a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ack.mitre.org/techniques/T1021/001).(Citation:&nbsp;Unit42&nbsp;Locker</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/techniques/T1021/001).(Citation:&nbsp;Unit42&nbsp;Lock</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Goga&nbsp;2019)&nbsp;&nbsp;Files&nbsp;can&nbsp;also&nbsp;be&nbsp;transferred&nbsp;using&nbsp;native&nbsp;or&nbsp;ot</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">erGoga&nbsp;2019)&nbsp;&nbsp;Files&nbsp;can&nbsp;also&nbsp;be&nbsp;transferred&nbsp;using&nbsp;native&nbsp;or&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">herwise&nbsp;present&nbsp;tools&nbsp;on&nbsp;the&nbsp;victim&nbsp;system,&nbsp;such&nbsp;as&nbsp;scp,&nbsp;rsy</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">otherwise&nbsp;present&nbsp;tools&nbsp;on&nbsp;the&nbsp;victim&nbsp;system,&nbsp;such&nbsp;as&nbsp;scp,&nbsp;r</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nc,&nbsp;curl,&nbsp;sftp,&nbsp;and&nbsp;[ftp](https://attack.mitre.org/software/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sync,&nbsp;curl,&nbsp;sftp,&nbsp;and&nbsp;[ftp](https://attack.mitre.org/softwar</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">S0095).</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e/S0095).<span class=\"diff_add\">&nbsp;In&nbsp;some&nbsp;cases,&nbsp;adversaries&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;leverage</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;[Web&nbsp;Service](https://attack.mitre.org/techniques/T1102)s&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">uch&nbsp;as&nbsp;Dropbox&nbsp;or&nbsp;OneDrive&nbsp;to&nbsp;copy&nbsp;files&nbsp;from&nbsp;one&nbsp;machine&nbsp;to</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;another&nbsp;via&nbsp;shared,&nbsp;automatically&nbsp;synced&nbsp;folders.(Citation:</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;Dropbox&nbsp;Malware&nbsp;Sync)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1031: Network Intrusion Prevention",
@@ -7569,7 +7569,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-15 09:52:11.875000+00:00\", \"old_value\": \"2023-04-07 17:04:34.648000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\\n\\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.\", \"old_value\": \"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\\n\\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\\n \\n-Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)\\n+Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.elastic.co/blog/how-hunt-masquerade-ball\", \"old_value\": \"http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.6\", \"old_value\": \"1.5\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][6]\": \"Goldstein Menachem\", \"root['x_mitre_data_sources'][4]\": \"Process: Process Creation\", \"root['x_mitre_data_sources'][10]\": \"Process: OS API Execution\"}}",
                     "previous_version": "1.5",
                     "version_change": "1.5 \u2192 1.6",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to20__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to20__0\"><a href=\"#difflib_chg_to20__top\">t</a></td><td class=\"diff_header\" id=\"from20_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;manipulate&nbsp;features&nbsp;of&nbsp;their&nbsp;arti</td><td class=\"diff_next\"><a href=\"#difflib_chg_to20__top\">t</a></td><td class=\"diff_header\" id=\"to20_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;manipulate&nbsp;features&nbsp;of&nbsp;their&nbsp;arti</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">facts&nbsp;to&nbsp;make&nbsp;them&nbsp;appear&nbsp;legitimate&nbsp;or&nbsp;benign&nbsp;to&nbsp;users&nbsp;and/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">facts&nbsp;to&nbsp;make&nbsp;them&nbsp;appear&nbsp;legitimate&nbsp;or&nbsp;benign&nbsp;to&nbsp;users&nbsp;and/</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;security&nbsp;tools.&nbsp;Masquerading&nbsp;occurs&nbsp;when&nbsp;the&nbsp;name&nbsp;or&nbsp;loca</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;security&nbsp;tools.&nbsp;Masquerading&nbsp;occurs&nbsp;when&nbsp;the&nbsp;name&nbsp;or&nbsp;loca</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;of&nbsp;an&nbsp;object,&nbsp;legitimate&nbsp;or&nbsp;malicious,&nbsp;is&nbsp;manipulated&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;of&nbsp;an&nbsp;object,&nbsp;legitimate&nbsp;or&nbsp;malicious,&nbsp;is&nbsp;manipulated&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;abused&nbsp;for&nbsp;the&nbsp;sake&nbsp;of&nbsp;evading&nbsp;defenses&nbsp;and&nbsp;observation.&nbsp;T</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;abused&nbsp;for&nbsp;the&nbsp;sake&nbsp;of&nbsp;evading&nbsp;defenses&nbsp;and&nbsp;observation.&nbsp;T</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">his&nbsp;may&nbsp;include&nbsp;manipulating&nbsp;file&nbsp;metadata,&nbsp;tricking&nbsp;users&nbsp;i</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">his&nbsp;may&nbsp;include&nbsp;manipulating&nbsp;file&nbsp;metadata,&nbsp;tricking&nbsp;users&nbsp;i</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nto&nbsp;misidentifying&nbsp;the&nbsp;file&nbsp;type,&nbsp;and&nbsp;giving&nbsp;legitimate&nbsp;task</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nto&nbsp;misidentifying&nbsp;the&nbsp;file&nbsp;type,&nbsp;and&nbsp;giving&nbsp;legitimate&nbsp;task</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;or&nbsp;service&nbsp;names.&nbsp;&nbsp;Renaming&nbsp;abusable&nbsp;system&nbsp;utilities&nbsp;to&nbsp;ev</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;or&nbsp;service&nbsp;names.&nbsp;&nbsp;Renaming&nbsp;abusable&nbsp;system&nbsp;utilities&nbsp;to&nbsp;ev</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ade&nbsp;security&nbsp;monitoring&nbsp;is&nbsp;also&nbsp;a&nbsp;form&nbsp;of&nbsp;[Masquerading](htt</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ade&nbsp;security&nbsp;monitoring&nbsp;is&nbsp;also&nbsp;a&nbsp;form&nbsp;of&nbsp;[Masquerading](htt</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ps://attack.mitre.org/techniques/T1036).(Citation:&nbsp;LOLBAS&nbsp;Ma</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ps://attack.mitre.org/techniques/T1036).(Citation:&nbsp;LOLBAS&nbsp;Ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in&nbsp;Site)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in&nbsp;Site)<span class=\"diff_add\">&nbsp;Masquerading&nbsp;may&nbsp;also&nbsp;include&nbsp;the&nbsp;use&nbsp;of&nbsp;[Proxy](ht</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tps://attack.mitre.org/techniques/T1090)&nbsp;or&nbsp;VPNs&nbsp;to&nbsp;disguise</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;IP&nbsp;addresses,&nbsp;which&nbsp;can&nbsp;allow&nbsp;adversaries&nbsp;to&nbsp;blend&nbsp;in&nbsp;with&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">normal&nbsp;network&nbsp;traffic&nbsp;and&nbsp;bypass&nbsp;conditional&nbsp;access&nbsp;policie</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;or&nbsp;anti-abuse&nbsp;protections.</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to38__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to38__0\"><a href=\"#difflib_chg_to38__top\">t</a></td><td class=\"diff_header\" id=\"from38_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;manipulate&nbsp;features&nbsp;of&nbsp;their&nbsp;arti</td><td class=\"diff_next\"><a href=\"#difflib_chg_to38__top\">t</a></td><td class=\"diff_header\" id=\"to38_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;manipulate&nbsp;features&nbsp;of&nbsp;their&nbsp;arti</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">facts&nbsp;to&nbsp;make&nbsp;them&nbsp;appear&nbsp;legitimate&nbsp;or&nbsp;benign&nbsp;to&nbsp;users&nbsp;and/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">facts&nbsp;to&nbsp;make&nbsp;them&nbsp;appear&nbsp;legitimate&nbsp;or&nbsp;benign&nbsp;to&nbsp;users&nbsp;and/</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;security&nbsp;tools.&nbsp;Masquerading&nbsp;occurs&nbsp;when&nbsp;the&nbsp;name&nbsp;or&nbsp;loca</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">or&nbsp;security&nbsp;tools.&nbsp;Masquerading&nbsp;occurs&nbsp;when&nbsp;the&nbsp;name&nbsp;or&nbsp;loca</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;of&nbsp;an&nbsp;object,&nbsp;legitimate&nbsp;or&nbsp;malicious,&nbsp;is&nbsp;manipulated&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tion&nbsp;of&nbsp;an&nbsp;object,&nbsp;legitimate&nbsp;or&nbsp;malicious,&nbsp;is&nbsp;manipulated&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;abused&nbsp;for&nbsp;the&nbsp;sake&nbsp;of&nbsp;evading&nbsp;defenses&nbsp;and&nbsp;observation.&nbsp;T</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;abused&nbsp;for&nbsp;the&nbsp;sake&nbsp;of&nbsp;evading&nbsp;defenses&nbsp;and&nbsp;observation.&nbsp;T</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">his&nbsp;may&nbsp;include&nbsp;manipulating&nbsp;file&nbsp;metadata,&nbsp;tricking&nbsp;users&nbsp;i</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">his&nbsp;may&nbsp;include&nbsp;manipulating&nbsp;file&nbsp;metadata,&nbsp;tricking&nbsp;users&nbsp;i</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nto&nbsp;misidentifying&nbsp;the&nbsp;file&nbsp;type,&nbsp;and&nbsp;giving&nbsp;legitimate&nbsp;task</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nto&nbsp;misidentifying&nbsp;the&nbsp;file&nbsp;type,&nbsp;and&nbsp;giving&nbsp;legitimate&nbsp;task</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;or&nbsp;service&nbsp;names.&nbsp;&nbsp;Renaming&nbsp;abusable&nbsp;system&nbsp;utilities&nbsp;to&nbsp;ev</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;or&nbsp;service&nbsp;names.&nbsp;&nbsp;Renaming&nbsp;abusable&nbsp;system&nbsp;utilities&nbsp;to&nbsp;ev</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ade&nbsp;security&nbsp;monitoring&nbsp;is&nbsp;also&nbsp;a&nbsp;form&nbsp;of&nbsp;[Masquerading](htt</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ade&nbsp;security&nbsp;monitoring&nbsp;is&nbsp;also&nbsp;a&nbsp;form&nbsp;of&nbsp;[Masquerading](htt</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ps://attack.mitre.org/techniques/T1036).(Citation:&nbsp;LOLBAS&nbsp;Ma</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ps://attack.mitre.org/techniques/T1036).(Citation:&nbsp;LOLBAS&nbsp;Ma</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in&nbsp;Site)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in&nbsp;Site)<span class=\"diff_add\">&nbsp;Masquerading&nbsp;may&nbsp;also&nbsp;include&nbsp;the&nbsp;use&nbsp;of&nbsp;[Proxy](ht</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tps://attack.mitre.org/techniques/T1090)&nbsp;or&nbsp;VPNs&nbsp;to&nbsp;disguise</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;IP&nbsp;addresses,&nbsp;which&nbsp;can&nbsp;allow&nbsp;adversaries&nbsp;to&nbsp;blend&nbsp;in&nbsp;with&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">normal&nbsp;network&nbsp;traffic&nbsp;and&nbsp;bypass&nbsp;conditional&nbsp;access&nbsp;policie</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;or&nbsp;anti-abuse&nbsp;protections.</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1022: Restrict File and Directory Permissions",
@@ -8217,7 +8217,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-13 16:01:07.538000+00:00\", \"old_value\": \"2022-04-19 20:30:00.118000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n\\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\\n\\nNative API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n\\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n\\nAdversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).\", \"old_value\": \"Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n\\nNative API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n\\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n\\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).\", \"diff\": \"--- \\n+++ \\n@@ -1,7 +1,9 @@\\n Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n+\\n+Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\\n \\n Native API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n \\n Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n \\n-Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).\\n+Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Redops Syscalls\", \"description\": \"Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.\", \"url\": \"https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls\"}, \"root['x_mitre_contributors'][2]\": \"Tristan Madani (Cybereason)\"}}",
                     "previous_version": "2.1",
                     "version_change": "2.1 \u2192 2.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to30__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to30__0\"><a href=\"#difflib_chg_to30__top\">t</a></td><td class=\"diff_header\" id=\"from30_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;interact&nbsp;with&nbsp;the&nbsp;native&nbsp;OS&nbsp;application&nbsp;prog</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to30__top\">t</a></td><td class=\"diff_header\" id=\"to30_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;interact&nbsp;with&nbsp;the&nbsp;native&nbsp;OS&nbsp;application&nbsp;prog</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ramming&nbsp;interface&nbsp;(API)&nbsp;to&nbsp;execute&nbsp;behaviors.&nbsp;Native&nbsp;APIs&nbsp;pr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ramming&nbsp;interface&nbsp;(API)&nbsp;to&nbsp;execute&nbsp;behaviors.&nbsp;Native&nbsp;APIs&nbsp;pr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ovide&nbsp;a&nbsp;controlled&nbsp;means&nbsp;of&nbsp;calling&nbsp;low-level&nbsp;OS&nbsp;services&nbsp;wi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ovide&nbsp;a&nbsp;controlled&nbsp;means&nbsp;of&nbsp;calling&nbsp;low-level&nbsp;OS&nbsp;services&nbsp;wi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">thin&nbsp;the&nbsp;kernel,&nbsp;such&nbsp;as&nbsp;those&nbsp;involving&nbsp;hardware/devices,&nbsp;m</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">thin&nbsp;the&nbsp;kernel,&nbsp;such&nbsp;as&nbsp;those&nbsp;involving&nbsp;hardware/devices,&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">emory,&nbsp;and&nbsp;processes.(Citation:&nbsp;NT&nbsp;API&nbsp;Windows)(Citation:&nbsp;Li</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">emory,&nbsp;and&nbsp;processes.(Citation:&nbsp;NT&nbsp;API&nbsp;Windows)(Citation:&nbsp;Li</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nux&nbsp;Kernel&nbsp;API)&nbsp;These&nbsp;native&nbsp;APIs&nbsp;are&nbsp;leveraged&nbsp;by&nbsp;the&nbsp;OS&nbsp;du</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nux&nbsp;Kernel&nbsp;API)&nbsp;These&nbsp;native&nbsp;APIs&nbsp;are&nbsp;leveraged&nbsp;by&nbsp;the&nbsp;OS&nbsp;du</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ring&nbsp;system&nbsp;boot&nbsp;(when&nbsp;other&nbsp;system&nbsp;components&nbsp;are&nbsp;not&nbsp;yet&nbsp;i</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ring&nbsp;system&nbsp;boot&nbsp;(when&nbsp;other&nbsp;system&nbsp;components&nbsp;are&nbsp;not&nbsp;yet&nbsp;i</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nitialized)&nbsp;as&nbsp;well&nbsp;as&nbsp;carrying&nbsp;out&nbsp;tasks&nbsp;and&nbsp;requests&nbsp;durin</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nitialized)&nbsp;as&nbsp;well&nbsp;as&nbsp;carrying&nbsp;out&nbsp;tasks&nbsp;and&nbsp;requests&nbsp;durin</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">g&nbsp;routine&nbsp;operations.&nbsp;&nbsp;Native&nbsp;API&nbsp;functions&nbsp;(such&nbsp;as&nbsp;&lt;code&gt;N</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g&nbsp;routine&nbsp;operations.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;abuse&nbsp;these&nbsp;OS&nbsp;API&nbsp;fu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tCreateProcess&lt;/code&gt;)&nbsp;may&nbsp;be&nbsp;directed&nbsp;invoked&nbsp;via&nbsp;system&nbsp;ca</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nctions&nbsp;as&nbsp;a&nbsp;means&nbsp;of&nbsp;executing&nbsp;behaviors.&nbsp;Similar&nbsp;to&nbsp;[Comma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lls&nbsp;/&nbsp;syscalls,&nbsp;but&nbsp;these&nbsp;features&nbsp;are&nbsp;also&nbsp;often&nbsp;exposed&nbsp;to</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nd&nbsp;and&nbsp;Scripting&nbsp;Interpreter](https://attack.mitre.org/techn</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;user-mode&nbsp;applications&nbsp;via&nbsp;interfaces&nbsp;and&nbsp;libraries.(Citati</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">iques/T1059),&nbsp;the&nbsp;native&nbsp;API&nbsp;and&nbsp;its&nbsp;hierarchy&nbsp;of&nbsp;interfaces</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on:&nbsp;OutFlank&nbsp;System&nbsp;Calls)(Citation:&nbsp;CyberBit&nbsp;System&nbsp;Calls)(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;provide&nbsp;mechanisms&nbsp;to&nbsp;interact&nbsp;with&nbsp;and&nbsp;utilize&nbsp;various&nbsp;com</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Citation:&nbsp;MDSec&nbsp;System&nbsp;Calls)&nbsp;For&nbsp;example,&nbsp;functions&nbsp;such&nbsp;as</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ponents&nbsp;of&nbsp;a&nbsp;victimized&nbsp;system.&nbsp;&nbsp;Native&nbsp;API&nbsp;functions&nbsp;(such&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;the&nbsp;Windows&nbsp;API&nbsp;&lt;code&gt;CreateProcess()&lt;/code&gt;&nbsp;or&nbsp;GNU&nbsp;&lt;code&gt;f</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">as&nbsp;&lt;code&gt;NtCreateProcess&lt;/code&gt;)&nbsp;may&nbsp;be&nbsp;directed&nbsp;invoked&nbsp;via</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ork()&lt;/code&gt;&nbsp;will&nbsp;allow&nbsp;programs&nbsp;and&nbsp;scripts&nbsp;to&nbsp;start&nbsp;other&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;system&nbsp;calls&nbsp;/&nbsp;syscalls,&nbsp;but&nbsp;these&nbsp;features&nbsp;are&nbsp;also&nbsp;often&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">processes.(Citation:&nbsp;Microsoft&nbsp;CreateProcess)(Citation:&nbsp;GNU&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">exposed&nbsp;to&nbsp;user-mode&nbsp;applications&nbsp;via&nbsp;interfaces&nbsp;and&nbsp;librari</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Fork)&nbsp;This&nbsp;may&nbsp;allow&nbsp;API&nbsp;callers&nbsp;to&nbsp;execute&nbsp;a&nbsp;binary,&nbsp;run&nbsp;a&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">es.(Citation:&nbsp;OutFlank&nbsp;System&nbsp;Calls)(Citation:&nbsp;CyberBit&nbsp;Syst</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">CLI&nbsp;command,&nbsp;load&nbsp;modules,&nbsp;etc.&nbsp;as&nbsp;thousands&nbsp;of&nbsp;similar&nbsp;API&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">em&nbsp;Calls)(Citation:&nbsp;MDSec&nbsp;System&nbsp;Calls)&nbsp;For&nbsp;example,&nbsp;functio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">functions&nbsp;exist&nbsp;for&nbsp;various&nbsp;system&nbsp;operations.(Citation:&nbsp;Mic</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ns&nbsp;such&nbsp;as&nbsp;the&nbsp;Windows&nbsp;API&nbsp;&lt;code&gt;CreateProcess()&lt;/code&gt;&nbsp;or&nbsp;G</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rosoft&nbsp;Win32)(Citation:&nbsp;LIBC)(Citation:&nbsp;GLIBC)&nbsp;&nbsp;Higher&nbsp;level</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">NU&nbsp;&lt;code&gt;fork()&lt;/code&gt;&nbsp;will&nbsp;allow&nbsp;programs&nbsp;and&nbsp;scripts&nbsp;to&nbsp;st</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;software&nbsp;frameworks,&nbsp;such&nbsp;as&nbsp;Microsoft&nbsp;.NET&nbsp;and&nbsp;macOS&nbsp;Cocoa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">art&nbsp;other&nbsp;processes.(Citation:&nbsp;Microsoft&nbsp;CreateProcess)(Cita</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;are&nbsp;also&nbsp;available&nbsp;to&nbsp;interact&nbsp;with&nbsp;native&nbsp;APIs.&nbsp;These&nbsp;fra</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tion:&nbsp;GNU&nbsp;Fork)&nbsp;This&nbsp;may&nbsp;allow&nbsp;API&nbsp;callers&nbsp;to&nbsp;execute&nbsp;a&nbsp;bina</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">meworks&nbsp;typically&nbsp;provide&nbsp;language&nbsp;wrappers/abstractions&nbsp;to&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ry,&nbsp;run&nbsp;a&nbsp;CLI&nbsp;command,&nbsp;load&nbsp;modules,&nbsp;etc.&nbsp;as&nbsp;thousands&nbsp;of&nbsp;si</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">API&nbsp;functionalities&nbsp;and&nbsp;are&nbsp;designed&nbsp;for&nbsp;ease-of-use/portabi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">milar&nbsp;API&nbsp;functions&nbsp;exist&nbsp;for&nbsp;various&nbsp;system&nbsp;operations.(Cit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lity&nbsp;of&nbsp;code.(Citation:&nbsp;Microsoft&nbsp;NET)(Citation:&nbsp;Apple&nbsp;Core&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ation:&nbsp;Microsoft&nbsp;Win32)(Citation:&nbsp;LIBC)(Citation:&nbsp;GLIBC)&nbsp;&nbsp;Hi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Services)(Citation:&nbsp;MACOS&nbsp;Cocoa)(Citation:&nbsp;macOS&nbsp;Foundation)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">gher&nbsp;level&nbsp;software&nbsp;frameworks,&nbsp;such&nbsp;as&nbsp;Microsoft&nbsp;.NET&nbsp;and&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;abuse&nbsp;these&nbsp;OS&nbsp;API&nbsp;functions&nbsp;as&nbsp;a&nbsp;means&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">acOS&nbsp;Cocoa,&nbsp;are&nbsp;also&nbsp;available&nbsp;to&nbsp;interact&nbsp;with&nbsp;native&nbsp;APIs.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;executing&nbsp;behaviors.&nbsp;Similar&nbsp;to&nbsp;[Command&nbsp;and&nbsp;Scripting&nbsp;Inte</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;These&nbsp;frameworks&nbsp;typically&nbsp;provide&nbsp;language&nbsp;wrappers/abstra</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rpreter](https://attack.mitre.org/techniques/T1059),&nbsp;the&nbsp;nat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ctions&nbsp;to&nbsp;API&nbsp;functionalities&nbsp;and&nbsp;are&nbsp;designed&nbsp;for&nbsp;ease-of-u</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ive&nbsp;API&nbsp;and&nbsp;its&nbsp;hierarchy&nbsp;of&nbsp;interfaces&nbsp;provide&nbsp;mechanisms&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">se/portability&nbsp;of&nbsp;code.(Citation:&nbsp;Microsoft&nbsp;NET)(Citation:&nbsp;A</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;interact&nbsp;with&nbsp;and&nbsp;utilize&nbsp;various&nbsp;components&nbsp;of&nbsp;a&nbsp;victimiz</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">pple&nbsp;Core&nbsp;Services)(Citation:&nbsp;MACOS&nbsp;Cocoa)(Citation:&nbsp;macOS&nbsp;F</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ed&nbsp;system.&nbsp;While&nbsp;invoking&nbsp;API&nbsp;functions,&nbsp;adversaries&nbsp;may&nbsp;als</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">oundation)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;assembly&nbsp;to&nbsp;directly&nbsp;or&nbsp;in-d</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;attempt&nbsp;to&nbsp;bypass&nbsp;defensive&nbsp;tools&nbsp;(ex:&nbsp;unhooking&nbsp;monitored</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">irectly&nbsp;invoke&nbsp;syscalls&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;subvert&nbsp;defensive&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;functions&nbsp;via&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;Tools](https://attack.mitr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ensors&nbsp;and&nbsp;detection&nbsp;signatures&nbsp;such&nbsp;as&nbsp;user&nbsp;mode&nbsp;API-hooks.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e.org/techniques/T1562/001)).</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(Citation:&nbsp;Redops&nbsp;Syscalls)&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;attempt&nbsp;to&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tamper&nbsp;with&nbsp;sensors&nbsp;and&nbsp;defensive&nbsp;tools&nbsp;associated&nbsp;with&nbsp;API&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">monitoring,&nbsp;such&nbsp;as&nbsp;unhooking&nbsp;monitored&nbsp;functions&nbsp;via&nbsp;[Disab</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">le&nbsp;or&nbsp;Modify&nbsp;Tools](https://attack.mitre.org/techniques/T156</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">2/001).</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to2__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to2__0\"><a href=\"#difflib_chg_to2__top\">t</a></td><td class=\"diff_header\" id=\"from2_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;interact&nbsp;with&nbsp;the&nbsp;native&nbsp;OS&nbsp;application&nbsp;prog</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to2__top\">t</a></td><td class=\"diff_header\" id=\"to2_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;interact&nbsp;with&nbsp;the&nbsp;native&nbsp;OS&nbsp;application&nbsp;prog</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ramming&nbsp;interface&nbsp;(API)&nbsp;to&nbsp;execute&nbsp;behaviors.&nbsp;Native&nbsp;APIs&nbsp;pr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ramming&nbsp;interface&nbsp;(API)&nbsp;to&nbsp;execute&nbsp;behaviors.&nbsp;Native&nbsp;APIs&nbsp;pr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ovide&nbsp;a&nbsp;controlled&nbsp;means&nbsp;of&nbsp;calling&nbsp;low-level&nbsp;OS&nbsp;services&nbsp;wi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ovide&nbsp;a&nbsp;controlled&nbsp;means&nbsp;of&nbsp;calling&nbsp;low-level&nbsp;OS&nbsp;services&nbsp;wi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">thin&nbsp;the&nbsp;kernel,&nbsp;such&nbsp;as&nbsp;those&nbsp;involving&nbsp;hardware/devices,&nbsp;m</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">thin&nbsp;the&nbsp;kernel,&nbsp;such&nbsp;as&nbsp;those&nbsp;involving&nbsp;hardware/devices,&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">emory,&nbsp;and&nbsp;processes.(Citation:&nbsp;NT&nbsp;API&nbsp;Windows)(Citation:&nbsp;Li</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">emory,&nbsp;and&nbsp;processes.(Citation:&nbsp;NT&nbsp;API&nbsp;Windows)(Citation:&nbsp;Li</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nux&nbsp;Kernel&nbsp;API)&nbsp;These&nbsp;native&nbsp;APIs&nbsp;are&nbsp;leveraged&nbsp;by&nbsp;the&nbsp;OS&nbsp;du</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nux&nbsp;Kernel&nbsp;API)&nbsp;These&nbsp;native&nbsp;APIs&nbsp;are&nbsp;leveraged&nbsp;by&nbsp;the&nbsp;OS&nbsp;du</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ring&nbsp;system&nbsp;boot&nbsp;(when&nbsp;other&nbsp;system&nbsp;components&nbsp;are&nbsp;not&nbsp;yet&nbsp;i</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ring&nbsp;system&nbsp;boot&nbsp;(when&nbsp;other&nbsp;system&nbsp;components&nbsp;are&nbsp;not&nbsp;yet&nbsp;i</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nitialized)&nbsp;as&nbsp;well&nbsp;as&nbsp;carrying&nbsp;out&nbsp;tasks&nbsp;and&nbsp;requests&nbsp;durin</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nitialized)&nbsp;as&nbsp;well&nbsp;as&nbsp;carrying&nbsp;out&nbsp;tasks&nbsp;and&nbsp;requests&nbsp;durin</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">g&nbsp;routine&nbsp;operations.&nbsp;&nbsp;Native&nbsp;API&nbsp;functions&nbsp;(such&nbsp;as&nbsp;&lt;code&gt;N</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g&nbsp;routine&nbsp;operations.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;abuse&nbsp;these&nbsp;OS&nbsp;API&nbsp;fu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tCreateProcess&lt;/code&gt;)&nbsp;may&nbsp;be&nbsp;directed&nbsp;invoked&nbsp;via&nbsp;system&nbsp;ca</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nctions&nbsp;as&nbsp;a&nbsp;means&nbsp;of&nbsp;executing&nbsp;behaviors.&nbsp;Similar&nbsp;to&nbsp;[Comma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lls&nbsp;/&nbsp;syscalls,&nbsp;but&nbsp;these&nbsp;features&nbsp;are&nbsp;also&nbsp;often&nbsp;exposed&nbsp;to</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nd&nbsp;and&nbsp;Scripting&nbsp;Interpreter](https://attack.mitre.org/techn</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;user-mode&nbsp;applications&nbsp;via&nbsp;interfaces&nbsp;and&nbsp;libraries.(Citati</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">iques/T1059),&nbsp;the&nbsp;native&nbsp;API&nbsp;and&nbsp;its&nbsp;hierarchy&nbsp;of&nbsp;interfaces</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on:&nbsp;OutFlank&nbsp;System&nbsp;Calls)(Citation:&nbsp;CyberBit&nbsp;System&nbsp;Calls)(</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;provide&nbsp;mechanisms&nbsp;to&nbsp;interact&nbsp;with&nbsp;and&nbsp;utilize&nbsp;various&nbsp;com</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Citation:&nbsp;MDSec&nbsp;System&nbsp;Calls)&nbsp;For&nbsp;example,&nbsp;functions&nbsp;such&nbsp;as</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ponents&nbsp;of&nbsp;a&nbsp;victimized&nbsp;system.&nbsp;&nbsp;Native&nbsp;API&nbsp;functions&nbsp;(such&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;the&nbsp;Windows&nbsp;API&nbsp;&lt;code&gt;CreateProcess()&lt;/code&gt;&nbsp;or&nbsp;GNU&nbsp;&lt;code&gt;f</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">as&nbsp;&lt;code&gt;NtCreateProcess&lt;/code&gt;)&nbsp;may&nbsp;be&nbsp;directed&nbsp;invoked&nbsp;via</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ork()&lt;/code&gt;&nbsp;will&nbsp;allow&nbsp;programs&nbsp;and&nbsp;scripts&nbsp;to&nbsp;start&nbsp;other&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;system&nbsp;calls&nbsp;/&nbsp;syscalls,&nbsp;but&nbsp;these&nbsp;features&nbsp;are&nbsp;also&nbsp;often&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">processes.(Citation:&nbsp;Microsoft&nbsp;CreateProcess)(Citation:&nbsp;GNU&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">exposed&nbsp;to&nbsp;user-mode&nbsp;applications&nbsp;via&nbsp;interfaces&nbsp;and&nbsp;librari</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Fork)&nbsp;This&nbsp;may&nbsp;allow&nbsp;API&nbsp;callers&nbsp;to&nbsp;execute&nbsp;a&nbsp;binary,&nbsp;run&nbsp;a&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">es.(Citation:&nbsp;OutFlank&nbsp;System&nbsp;Calls)(Citation:&nbsp;CyberBit&nbsp;Syst</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">CLI&nbsp;command,&nbsp;load&nbsp;modules,&nbsp;etc.&nbsp;as&nbsp;thousands&nbsp;of&nbsp;similar&nbsp;API&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">em&nbsp;Calls)(Citation:&nbsp;MDSec&nbsp;System&nbsp;Calls)&nbsp;For&nbsp;example,&nbsp;functio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">functions&nbsp;exist&nbsp;for&nbsp;various&nbsp;system&nbsp;operations.(Citation:&nbsp;Mic</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ns&nbsp;such&nbsp;as&nbsp;the&nbsp;Windows&nbsp;API&nbsp;&lt;code&gt;CreateProcess()&lt;/code&gt;&nbsp;or&nbsp;G</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rosoft&nbsp;Win32)(Citation:&nbsp;LIBC)(Citation:&nbsp;GLIBC)&nbsp;&nbsp;Higher&nbsp;level</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">NU&nbsp;&lt;code&gt;fork()&lt;/code&gt;&nbsp;will&nbsp;allow&nbsp;programs&nbsp;and&nbsp;scripts&nbsp;to&nbsp;st</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;software&nbsp;frameworks,&nbsp;such&nbsp;as&nbsp;Microsoft&nbsp;.NET&nbsp;and&nbsp;macOS&nbsp;Cocoa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">art&nbsp;other&nbsp;processes.(Citation:&nbsp;Microsoft&nbsp;CreateProcess)(Cita</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;are&nbsp;also&nbsp;available&nbsp;to&nbsp;interact&nbsp;with&nbsp;native&nbsp;APIs.&nbsp;These&nbsp;fra</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tion:&nbsp;GNU&nbsp;Fork)&nbsp;This&nbsp;may&nbsp;allow&nbsp;API&nbsp;callers&nbsp;to&nbsp;execute&nbsp;a&nbsp;bina</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">meworks&nbsp;typically&nbsp;provide&nbsp;language&nbsp;wrappers/abstractions&nbsp;to&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ry,&nbsp;run&nbsp;a&nbsp;CLI&nbsp;command,&nbsp;load&nbsp;modules,&nbsp;etc.&nbsp;as&nbsp;thousands&nbsp;of&nbsp;si</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">API&nbsp;functionalities&nbsp;and&nbsp;are&nbsp;designed&nbsp;for&nbsp;ease-of-use/portabi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">milar&nbsp;API&nbsp;functions&nbsp;exist&nbsp;for&nbsp;various&nbsp;system&nbsp;operations.(Cit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lity&nbsp;of&nbsp;code.(Citation:&nbsp;Microsoft&nbsp;NET)(Citation:&nbsp;Apple&nbsp;Core&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ation:&nbsp;Microsoft&nbsp;Win32)(Citation:&nbsp;LIBC)(Citation:&nbsp;GLIBC)&nbsp;&nbsp;Hi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Services)(Citation:&nbsp;MACOS&nbsp;Cocoa)(Citation:&nbsp;macOS&nbsp;Foundation)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">gher&nbsp;level&nbsp;software&nbsp;frameworks,&nbsp;such&nbsp;as&nbsp;Microsoft&nbsp;.NET&nbsp;and&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;abuse&nbsp;these&nbsp;OS&nbsp;API&nbsp;functions&nbsp;as&nbsp;a&nbsp;means&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">acOS&nbsp;Cocoa,&nbsp;are&nbsp;also&nbsp;available&nbsp;to&nbsp;interact&nbsp;with&nbsp;native&nbsp;APIs.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;executing&nbsp;behaviors.&nbsp;Similar&nbsp;to&nbsp;[Command&nbsp;and&nbsp;Scripting&nbsp;Inte</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;These&nbsp;frameworks&nbsp;typically&nbsp;provide&nbsp;language&nbsp;wrappers/abstra</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">rpreter](https://attack.mitre.org/techniques/T1059),&nbsp;the&nbsp;nat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ctions&nbsp;to&nbsp;API&nbsp;functionalities&nbsp;and&nbsp;are&nbsp;designed&nbsp;for&nbsp;ease-of-u</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ive&nbsp;API&nbsp;and&nbsp;its&nbsp;hierarchy&nbsp;of&nbsp;interfaces&nbsp;provide&nbsp;mechanisms&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">se/portability&nbsp;of&nbsp;code.(Citation:&nbsp;Microsoft&nbsp;NET)(Citation:&nbsp;A</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;interact&nbsp;with&nbsp;and&nbsp;utilize&nbsp;various&nbsp;components&nbsp;of&nbsp;a&nbsp;victimiz</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">pple&nbsp;Core&nbsp;Services)(Citation:&nbsp;MACOS&nbsp;Cocoa)(Citation:&nbsp;macOS&nbsp;F</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ed&nbsp;system.&nbsp;While&nbsp;invoking&nbsp;API&nbsp;functions,&nbsp;adversaries&nbsp;may&nbsp;als</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">oundation)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;assembly&nbsp;to&nbsp;directly&nbsp;or&nbsp;in-d</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;attempt&nbsp;to&nbsp;bypass&nbsp;defensive&nbsp;tools&nbsp;(ex:&nbsp;unhooking&nbsp;monitored</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">irectly&nbsp;invoke&nbsp;syscalls&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;subvert&nbsp;defensive&nbsp;s</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;functions&nbsp;via&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;Tools](https://attack.mitr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ensors&nbsp;and&nbsp;detection&nbsp;signatures&nbsp;such&nbsp;as&nbsp;user&nbsp;mode&nbsp;API-hooks.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e.org/techniques/T1562/001)).</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(Citation:&nbsp;Redops&nbsp;Syscalls)&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;attempt&nbsp;to&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tamper&nbsp;with&nbsp;sensors&nbsp;and&nbsp;defensive&nbsp;tools&nbsp;associated&nbsp;with&nbsp;API&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">monitoring,&nbsp;such&nbsp;as&nbsp;unhooking&nbsp;monitored&nbsp;functions&nbsp;via&nbsp;[Disab</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">le&nbsp;or&nbsp;Modify&nbsp;Tools](https://attack.mitre.org/techniques/T156</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">2/001).</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1038: Execution Prevention",
@@ -9415,7 +9415,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-06 14:08:51.616000+00:00\", \"old_value\": \"2023-04-11 00:44:21.193000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\\n\\nAdversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \\\"IDN homograph attack\\\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \\u201c@\\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\\n\\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\", \"old_value\": \"Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \\\"IDN homograph attack\\\").(Citation: CISA IDN ST05-016)\\n\\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\\n \\n-All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \\\"IDN homograph attack\\\").(Citation: CISA IDN ST05-016)\\n+All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\\n+\\n+Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \\\"IDN homograph attack\\\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \\u201c@\\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\\n \\n Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.5\", \"old_value\": \"2.4\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Mandiant URL Obfuscation 2023\", \"description\": \"Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\"}}}",
                     "previous_version": "2.4",
                     "version_change": "2.4 \u2192 2.5",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to21__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to21__0\"><a href=\"#difflib_chg_to21__top\">t</a></td><td class=\"diff_header\" id=\"from21_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;emails&nbsp;with&nbsp;a&nbsp;malicious&nbsp;l</td><td class=\"diff_next\"><a href=\"#difflib_chg_to21__top\">t</a></td><td class=\"diff_header\" id=\"to21_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;emails&nbsp;with&nbsp;a&nbsp;malicious&nbsp;l</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ink&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;victim&nbsp;systems.&nbsp;Spearphi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ink&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;victim&nbsp;systems.&nbsp;Spearphi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">shing&nbsp;with&nbsp;a&nbsp;link&nbsp;is&nbsp;a&nbsp;specific&nbsp;variant&nbsp;of&nbsp;spearphishing.&nbsp;It</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">shing&nbsp;with&nbsp;a&nbsp;link&nbsp;is&nbsp;a&nbsp;specific&nbsp;variant&nbsp;of&nbsp;spearphishing.&nbsp;It</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;is&nbsp;different&nbsp;from&nbsp;other&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;in&nbsp;that&nbsp;it&nbsp;e</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;is&nbsp;different&nbsp;from&nbsp;other&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;in&nbsp;that&nbsp;it&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mploys&nbsp;the&nbsp;use&nbsp;of&nbsp;links&nbsp;to&nbsp;download&nbsp;malware&nbsp;contained&nbsp;in&nbsp;ema</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mploys&nbsp;the&nbsp;use&nbsp;of&nbsp;links&nbsp;to&nbsp;download&nbsp;malware&nbsp;contained&nbsp;in&nbsp;ema</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">il,&nbsp;instead&nbsp;of&nbsp;attaching&nbsp;malicious&nbsp;files&nbsp;to&nbsp;the&nbsp;email&nbsp;itself</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">il,&nbsp;instead&nbsp;of&nbsp;attaching&nbsp;malicious&nbsp;files&nbsp;to&nbsp;the&nbsp;email&nbsp;itself</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;to&nbsp;avoid&nbsp;defenses&nbsp;that&nbsp;may&nbsp;inspect&nbsp;email&nbsp;attachments.&nbsp;Spea</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;to&nbsp;avoid&nbsp;defenses&nbsp;that&nbsp;may&nbsp;inspect&nbsp;email&nbsp;attachments.&nbsp;Spea</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rphishing&nbsp;may&nbsp;also&nbsp;involve&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;su</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rphishing&nbsp;may&nbsp;also&nbsp;involve&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;su</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;trusted&nbsp;source.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;trusted&nbsp;source.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;are&nbsp;electronically&nbsp;delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;are&nbsp;electronically&nbsp;delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;a&nbsp;specific&nbsp;individual,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;case,</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;a&nbsp;specific&nbsp;individual,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;case,</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;malicious&nbsp;emails&nbsp;contain&nbsp;links.&nbsp;Generally,&nbsp;the&nbsp;links&nbsp;wi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;malicious&nbsp;emails&nbsp;contain&nbsp;links.&nbsp;Generally,&nbsp;the&nbsp;links&nbsp;wi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ll&nbsp;be&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineering&nbsp;text&nbsp;and&nbsp;require&nbsp;the</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ll&nbsp;be&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineering&nbsp;text&nbsp;and&nbsp;require&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;brows</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;brows</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er,&nbsp;leveraging&nbsp;[User&nbsp;Execution](https://attack.mitre.org/tec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er,&nbsp;leveraging&nbsp;[User&nbsp;Execution](https://attack.mitre.org/tec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hniques/T1204).&nbsp;The&nbsp;visited&nbsp;website&nbsp;may&nbsp;compromise&nbsp;the&nbsp;web&nbsp;b</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hniques/T1204).&nbsp;The&nbsp;visited&nbsp;website&nbsp;may&nbsp;compromise&nbsp;the&nbsp;web&nbsp;b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rowser&nbsp;using&nbsp;an&nbsp;exploit,&nbsp;or&nbsp;the&nbsp;user&nbsp;will&nbsp;be&nbsp;prompted&nbsp;to&nbsp;dow</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rowser&nbsp;using&nbsp;an&nbsp;exploit,&nbsp;or&nbsp;the&nbsp;user&nbsp;will&nbsp;be&nbsp;prompted&nbsp;to&nbsp;dow</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nload&nbsp;applications,&nbsp;documents,&nbsp;zip&nbsp;files,&nbsp;or&nbsp;even&nbsp;executable</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nload&nbsp;applications,&nbsp;documents,&nbsp;zip&nbsp;files,&nbsp;or&nbsp;even&nbsp;executable</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;depending&nbsp;on&nbsp;the&nbsp;pretext&nbsp;for&nbsp;the&nbsp;email&nbsp;in&nbsp;the&nbsp;first&nbsp;place.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;depending&nbsp;on&nbsp;the&nbsp;pretext&nbsp;for&nbsp;the&nbsp;email&nbsp;in&nbsp;the&nbsp;first&nbsp;place.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;include&nbsp;links&nbsp;that&nbsp;are&nbsp;intended&nbsp;to&nbsp;int</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;<span class=\"diff_add\">&nbsp;</span>Adversaries&nbsp;may&nbsp;also&nbsp;include&nbsp;links&nbsp;that&nbsp;are&nbsp;intended&nbsp;to&nbsp;in</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eract&nbsp;directly&nbsp;with&nbsp;an&nbsp;email&nbsp;reader,&nbsp;including&nbsp;embedded&nbsp;imag</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">teract&nbsp;directly&nbsp;with&nbsp;an&nbsp;email&nbsp;reader,&nbsp;including&nbsp;embedded&nbsp;ima</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es&nbsp;intended&nbsp;to&nbsp;exploit&nbsp;the&nbsp;end&nbsp;system&nbsp;directly.&nbsp;Additionally</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ges&nbsp;intended&nbsp;to&nbsp;exploit&nbsp;the&nbsp;end&nbsp;system&nbsp;directly.&nbsp;Additionall</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;seemingly&nbsp;benign&nbsp;links&nbsp;that&nbsp;abuse&nbsp;spec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;seemingly&nbsp;benign&nbsp;links&nbsp;that&nbsp;abuse&nbsp;spe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ial&nbsp;characters&nbsp;to&nbsp;mimic&nbsp;legitimate&nbsp;websites&nbsp;(known&nbsp;as&nbsp;an&nbsp;\"ID</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cial&nbsp;characters&nbsp;to&nbsp;mimic&nbsp;legitimate&nbsp;websites&nbsp;(known&nbsp;as&nbsp;an&nbsp;\"I</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">N&nbsp;homograph&nbsp;attack\").(Citation:&nbsp;CISA&nbsp;IDN&nbsp;ST05-016)&nbsp;&nbsp;Adversar</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">DN&nbsp;homograph&nbsp;attack\").(Citation:&nbsp;CISA&nbsp;IDN&nbsp;ST05-016)&nbsp;<span class=\"diff_add\">URLs&nbsp;may</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ies&nbsp;may&nbsp;also&nbsp;utilize&nbsp;links&nbsp;to&nbsp;perform&nbsp;consent&nbsp;phishing,&nbsp;typi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;also&nbsp;be&nbsp;obfuscated&nbsp;by&nbsp;taking&nbsp;advantage&nbsp;of&nbsp;quirks&nbsp;in&nbsp;the&nbsp;URL</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cally&nbsp;with&nbsp;OAuth&nbsp;2.0&nbsp;request&nbsp;URLs&nbsp;that&nbsp;when&nbsp;accepted&nbsp;by&nbsp;the&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;schema,&nbsp;such&nbsp;as&nbsp;the&nbsp;acceptance&nbsp;of&nbsp;integer-&nbsp;or&nbsp;hexadecimal-b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">user&nbsp;provide&nbsp;permissions/access&nbsp;for&nbsp;malicious&nbsp;applications,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ased&nbsp;hostname&nbsp;formats&nbsp;and&nbsp;the&nbsp;automatic&nbsp;discarding&nbsp;of&nbsp;text&nbsp;b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">allowing&nbsp;adversaries&nbsp;to&nbsp;&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](ht</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">efore&nbsp;an&nbsp;\u201c@\u201d&nbsp;symbol:&nbsp;for&nbsp;example,&nbsp;`hxxp://google.com@1157586</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tps://attack.mitre.org/techniques/T1528)s.(Citation:&nbsp;Trend&nbsp;M</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">937`.(Citation:&nbsp;Mandiant&nbsp;URL&nbsp;Obfuscation&nbsp;2023)&nbsp;</span>&nbsp;Adversaries&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">icro&nbsp;Pawn&nbsp;Storm&nbsp;OAuth&nbsp;2017)&nbsp;These&nbsp;stolen&nbsp;access&nbsp;tokens&nbsp;allow</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;also&nbsp;utilize&nbsp;links&nbsp;to&nbsp;perform&nbsp;consent&nbsp;phishing,&nbsp;typicall</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;adversary&nbsp;to&nbsp;perform&nbsp;various&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;u</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;with&nbsp;OAuth&nbsp;2.0&nbsp;request&nbsp;URLs&nbsp;that&nbsp;when&nbsp;accepted&nbsp;by&nbsp;the&nbsp;user</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ser&nbsp;via&nbsp;API&nbsp;calls.&nbsp;(Citation:&nbsp;Microsoft&nbsp;OAuth&nbsp;2.0&nbsp;Consent&nbsp;Ph</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;provide&nbsp;permissions/access&nbsp;for&nbsp;malicious&nbsp;applications,&nbsp;allo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ishing&nbsp;2021)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">wing&nbsp;adversaries&nbsp;to&nbsp;&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](https:</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">//attack.mitre.org/techniques/T1528)s.(Citation:&nbsp;Trend&nbsp;Micro</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Pawn&nbsp;Storm&nbsp;OAuth&nbsp;2017)&nbsp;These&nbsp;stolen&nbsp;access&nbsp;tokens&nbsp;allow&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;adversary&nbsp;to&nbsp;perform&nbsp;various&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;user&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">via&nbsp;API&nbsp;calls.&nbsp;(Citation:&nbsp;Microsoft&nbsp;OAuth&nbsp;2.0&nbsp;Consent&nbsp;Phishi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;2021)</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to24__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to24__0\"><a href=\"#difflib_chg_to24__top\">t</a></td><td class=\"diff_header\" id=\"from24_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;emails&nbsp;with&nbsp;a&nbsp;malicious&nbsp;l</td><td class=\"diff_next\"><a href=\"#difflib_chg_to24__top\">t</a></td><td class=\"diff_header\" id=\"to24_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;emails&nbsp;with&nbsp;a&nbsp;malicious&nbsp;l</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ink&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;victim&nbsp;systems.&nbsp;Spearphi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ink&nbsp;in&nbsp;an&nbsp;attempt&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;victim&nbsp;systems.&nbsp;Spearphi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">shing&nbsp;with&nbsp;a&nbsp;link&nbsp;is&nbsp;a&nbsp;specific&nbsp;variant&nbsp;of&nbsp;spearphishing.&nbsp;It</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">shing&nbsp;with&nbsp;a&nbsp;link&nbsp;is&nbsp;a&nbsp;specific&nbsp;variant&nbsp;of&nbsp;spearphishing.&nbsp;It</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;is&nbsp;different&nbsp;from&nbsp;other&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;in&nbsp;that&nbsp;it&nbsp;e</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;is&nbsp;different&nbsp;from&nbsp;other&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;in&nbsp;that&nbsp;it&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mploys&nbsp;the&nbsp;use&nbsp;of&nbsp;links&nbsp;to&nbsp;download&nbsp;malware&nbsp;contained&nbsp;in&nbsp;ema</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mploys&nbsp;the&nbsp;use&nbsp;of&nbsp;links&nbsp;to&nbsp;download&nbsp;malware&nbsp;contained&nbsp;in&nbsp;ema</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">il,&nbsp;instead&nbsp;of&nbsp;attaching&nbsp;malicious&nbsp;files&nbsp;to&nbsp;the&nbsp;email&nbsp;itself</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">il,&nbsp;instead&nbsp;of&nbsp;attaching&nbsp;malicious&nbsp;files&nbsp;to&nbsp;the&nbsp;email&nbsp;itself</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;to&nbsp;avoid&nbsp;defenses&nbsp;that&nbsp;may&nbsp;inspect&nbsp;email&nbsp;attachments.&nbsp;Spea</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;to&nbsp;avoid&nbsp;defenses&nbsp;that&nbsp;may&nbsp;inspect&nbsp;email&nbsp;attachments.&nbsp;Spea</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rphishing&nbsp;may&nbsp;also&nbsp;involve&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;su</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rphishing&nbsp;may&nbsp;also&nbsp;involve&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;su</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;trusted&nbsp;source.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;trusted&nbsp;source.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;are&nbsp;electronically&nbsp;delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;are&nbsp;electronically&nbsp;delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;a&nbsp;specific&nbsp;individual,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;case,</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;a&nbsp;specific&nbsp;individual,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;case,</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;malicious&nbsp;emails&nbsp;contain&nbsp;links.&nbsp;Generally,&nbsp;the&nbsp;links&nbsp;wi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;malicious&nbsp;emails&nbsp;contain&nbsp;links.&nbsp;Generally,&nbsp;the&nbsp;links&nbsp;wi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ll&nbsp;be&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineering&nbsp;text&nbsp;and&nbsp;require&nbsp;the</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ll&nbsp;be&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineering&nbsp;text&nbsp;and&nbsp;require&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;brows</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;brows</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er,&nbsp;leveraging&nbsp;[User&nbsp;Execution](https://attack.mitre.org/tec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er,&nbsp;leveraging&nbsp;[User&nbsp;Execution](https://attack.mitre.org/tec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hniques/T1204).&nbsp;The&nbsp;visited&nbsp;website&nbsp;may&nbsp;compromise&nbsp;the&nbsp;web&nbsp;b</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hniques/T1204).&nbsp;The&nbsp;visited&nbsp;website&nbsp;may&nbsp;compromise&nbsp;the&nbsp;web&nbsp;b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rowser&nbsp;using&nbsp;an&nbsp;exploit,&nbsp;or&nbsp;the&nbsp;user&nbsp;will&nbsp;be&nbsp;prompted&nbsp;to&nbsp;dow</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rowser&nbsp;using&nbsp;an&nbsp;exploit,&nbsp;or&nbsp;the&nbsp;user&nbsp;will&nbsp;be&nbsp;prompted&nbsp;to&nbsp;dow</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nload&nbsp;applications,&nbsp;documents,&nbsp;zip&nbsp;files,&nbsp;or&nbsp;even&nbsp;executable</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nload&nbsp;applications,&nbsp;documents,&nbsp;zip&nbsp;files,&nbsp;or&nbsp;even&nbsp;executable</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;depending&nbsp;on&nbsp;the&nbsp;pretext&nbsp;for&nbsp;the&nbsp;email&nbsp;in&nbsp;the&nbsp;first&nbsp;place.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;depending&nbsp;on&nbsp;the&nbsp;pretext&nbsp;for&nbsp;the&nbsp;email&nbsp;in&nbsp;the&nbsp;first&nbsp;place.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;include&nbsp;links&nbsp;that&nbsp;are&nbsp;intended&nbsp;to&nbsp;int</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;<span class=\"diff_add\">&nbsp;</span>Adversaries&nbsp;may&nbsp;also&nbsp;include&nbsp;links&nbsp;that&nbsp;are&nbsp;intended&nbsp;to&nbsp;in</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eract&nbsp;directly&nbsp;with&nbsp;an&nbsp;email&nbsp;reader,&nbsp;including&nbsp;embedded&nbsp;imag</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">teract&nbsp;directly&nbsp;with&nbsp;an&nbsp;email&nbsp;reader,&nbsp;including&nbsp;embedded&nbsp;ima</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">es&nbsp;intended&nbsp;to&nbsp;exploit&nbsp;the&nbsp;end&nbsp;system&nbsp;directly.&nbsp;Additionally</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ges&nbsp;intended&nbsp;to&nbsp;exploit&nbsp;the&nbsp;end&nbsp;system&nbsp;directly.&nbsp;Additionall</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;seemingly&nbsp;benign&nbsp;links&nbsp;that&nbsp;abuse&nbsp;spec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y,&nbsp;adversaries&nbsp;may&nbsp;use&nbsp;seemingly&nbsp;benign&nbsp;links&nbsp;that&nbsp;abuse&nbsp;spe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ial&nbsp;characters&nbsp;to&nbsp;mimic&nbsp;legitimate&nbsp;websites&nbsp;(known&nbsp;as&nbsp;an&nbsp;\"ID</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cial&nbsp;characters&nbsp;to&nbsp;mimic&nbsp;legitimate&nbsp;websites&nbsp;(known&nbsp;as&nbsp;an&nbsp;\"I</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">N&nbsp;homograph&nbsp;attack\").(Citation:&nbsp;CISA&nbsp;IDN&nbsp;ST05-016)&nbsp;&nbsp;Adversar</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">DN&nbsp;homograph&nbsp;attack\").(Citation:&nbsp;CISA&nbsp;IDN&nbsp;ST05-016)&nbsp;<span class=\"diff_add\">URLs&nbsp;may</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ies&nbsp;may&nbsp;also&nbsp;utilize&nbsp;links&nbsp;to&nbsp;perform&nbsp;consent&nbsp;phishing,&nbsp;typi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;also&nbsp;be&nbsp;obfuscated&nbsp;by&nbsp;taking&nbsp;advantage&nbsp;of&nbsp;quirks&nbsp;in&nbsp;the&nbsp;URL</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cally&nbsp;with&nbsp;OAuth&nbsp;2.0&nbsp;request&nbsp;URLs&nbsp;that&nbsp;when&nbsp;accepted&nbsp;by&nbsp;the&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;schema,&nbsp;such&nbsp;as&nbsp;the&nbsp;acceptance&nbsp;of&nbsp;integer-&nbsp;or&nbsp;hexadecimal-b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">user&nbsp;provide&nbsp;permissions/access&nbsp;for&nbsp;malicious&nbsp;applications,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ased&nbsp;hostname&nbsp;formats&nbsp;and&nbsp;the&nbsp;automatic&nbsp;discarding&nbsp;of&nbsp;text&nbsp;b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">allowing&nbsp;adversaries&nbsp;to&nbsp;&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](ht</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">efore&nbsp;an&nbsp;\u201c@\u201d&nbsp;symbol:&nbsp;for&nbsp;example,&nbsp;`hxxp://google.com@1157586</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tps://attack.mitre.org/techniques/T1528)s.(Citation:&nbsp;Trend&nbsp;M</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">937`.(Citation:&nbsp;Mandiant&nbsp;URL&nbsp;Obfuscation&nbsp;2023)&nbsp;</span>&nbsp;Adversaries&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">icro&nbsp;Pawn&nbsp;Storm&nbsp;OAuth&nbsp;2017)&nbsp;These&nbsp;stolen&nbsp;access&nbsp;tokens&nbsp;allow</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;also&nbsp;utilize&nbsp;links&nbsp;to&nbsp;perform&nbsp;consent&nbsp;phishing,&nbsp;typicall</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;the&nbsp;adversary&nbsp;to&nbsp;perform&nbsp;various&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;u</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;with&nbsp;OAuth&nbsp;2.0&nbsp;request&nbsp;URLs&nbsp;that&nbsp;when&nbsp;accepted&nbsp;by&nbsp;the&nbsp;user</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ser&nbsp;via&nbsp;API&nbsp;calls.&nbsp;(Citation:&nbsp;Microsoft&nbsp;OAuth&nbsp;2.0&nbsp;Consent&nbsp;Ph</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;provide&nbsp;permissions/access&nbsp;for&nbsp;malicious&nbsp;applications,&nbsp;allo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ishing&nbsp;2021)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">wing&nbsp;adversaries&nbsp;to&nbsp;&nbsp;[Steal&nbsp;Application&nbsp;Access&nbsp;Token](https:</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">//attack.mitre.org/techniques/T1528)s.(Citation:&nbsp;Trend&nbsp;Micro</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Pawn&nbsp;Storm&nbsp;OAuth&nbsp;2017)&nbsp;These&nbsp;stolen&nbsp;access&nbsp;tokens&nbsp;allow&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;adversary&nbsp;to&nbsp;perform&nbsp;various&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;user&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">via&nbsp;API&nbsp;calls.&nbsp;(Citation:&nbsp;Microsoft&nbsp;OAuth&nbsp;2.0&nbsp;Consent&nbsp;Phishi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;2021)</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1017: User Training",
@@ -9668,7 +9668,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 01:44:28.081000+00:00\", \"old_value\": \"2023-04-15 17:38:48.406000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \\u201c@\\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\\n\\nAdversaries may also link to \\\"web bugs\\\" or \\\"web beacons\\\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\\n\\nAdversaries may also be able to spoof a complete website using what is known as a \\\"browser-in-the-browser\\\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\\n\\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\\n\\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.\", \"old_value\": \"Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\\n\\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.\\n\\nAdversaries may also link to \\\"web bugs\\\" or \\\"web beacons\\\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\\n\\nAdversaries may also be able to spoof a complete website using what is known as a \\\"browser-in-the-browser\\\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\\n\\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.\", \"diff\": \"--- \\n+++ \\n@@ -1,9 +1,11 @@\\n Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\\n \\n-All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.\\n+All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \\u201c@\\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\\n \\n Adversaries may also link to \\\"web bugs\\\" or \\\"web beacons\\\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\\n \\n Adversaries may also be able to spoof a complete website using what is known as a \\\"browser-in-the-browser\\\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\\n \\n+Adversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\\n+\\n From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.5\", \"old_value\": \"1.4\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Mandiant URL Obfuscation 2023\", \"description\": \"Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse\"}, \"root['external_references'][8]\": {\"source_name\": \"Proofpoint Human Factor\", \"description\": \"Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.\", \"url\": \"https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf\"}, \"root['x_mitre_contributors'][6]\": \"Austin Herrin\"}}",
                     "previous_version": "1.4",
                     "version_change": "1.4 \u2192 1.5",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to17__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to17__0\"><a href=\"#difflib_chg_to17__top\">t</a></td><td class=\"diff_header\" id=\"from17_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;messages&nbsp;with&nbsp;a&nbsp;malicious</td><td class=\"diff_next\"><a href=\"#difflib_chg_to17__top\">t</a></td><td class=\"diff_header\" id=\"to17_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;messages&nbsp;with&nbsp;a&nbsp;malicious</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;link&nbsp;to&nbsp;elicit&nbsp;sensitive&nbsp;information&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;durin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;link&nbsp;to&nbsp;elicit&nbsp;sensitive&nbsp;information&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;durin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;targeting.&nbsp;Spearphishing&nbsp;for&nbsp;information&nbsp;is&nbsp;an&nbsp;attempt&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;targeting.&nbsp;Spearphishing&nbsp;for&nbsp;information&nbsp;is&nbsp;an&nbsp;attempt&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trick&nbsp;targets&nbsp;into&nbsp;divulging&nbsp;information,&nbsp;frequently&nbsp;credent</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trick&nbsp;targets&nbsp;into&nbsp;divulging&nbsp;information,&nbsp;frequently&nbsp;credent</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ials&nbsp;or&nbsp;other&nbsp;actionable&nbsp;information.&nbsp;Spearphishing&nbsp;for&nbsp;info</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ials&nbsp;or&nbsp;other&nbsp;actionable&nbsp;information.&nbsp;Spearphishing&nbsp;for&nbsp;info</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rmation&nbsp;frequently&nbsp;involves&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rmation&nbsp;frequently&nbsp;involves&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;s</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;source&nbsp;with&nbsp;a&nbsp;reason&nbsp;to&nbsp;collect&nbsp;informati</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;source&nbsp;with&nbsp;a&nbsp;reason&nbsp;to&nbsp;collect&nbsp;informati</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">on&nbsp;(ex:&nbsp;[Establish&nbsp;Accounts](https://attack.mitre.org/techni</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">on&nbsp;(ex:&nbsp;[Establish&nbsp;Accounts](https://attack.mitre.org/techni</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ques/T1585)&nbsp;or&nbsp;[Compromise&nbsp;Accounts](https://attack.mitre.or</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ques/T1585)&nbsp;or&nbsp;[Compromise&nbsp;Accounts](https://attack.mitre.or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g/techniques/T1586))&nbsp;and/or&nbsp;sending&nbsp;multiple,&nbsp;seemingly&nbsp;urge</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g/techniques/T1586))&nbsp;and/or&nbsp;sending&nbsp;multiple,&nbsp;seemingly&nbsp;urge</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt&nbsp;messages.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;are&nbsp;electronically&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt&nbsp;messages.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;are&nbsp;electronically&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;at&nbsp;a&nbsp;specific&nbsp;individu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;at&nbsp;a&nbsp;specific&nbsp;individu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">al,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;scenario,&nbsp;the&nbsp;malicious&nbsp;em</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">al,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;scenario,&nbsp;the&nbsp;malicious&nbsp;em</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ails&nbsp;contain&nbsp;links&nbsp;generally&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineeri</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ails&nbsp;contain&nbsp;links&nbsp;generally&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineeri</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;text&nbsp;to&nbsp;coax&nbsp;the&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;text&nbsp;to&nbsp;coax&nbsp;the&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;browser.(Citation:&nbsp;TrendMictro&nbsp;Phishing)(Citat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;browser.(Citation:&nbsp;TrendMictro&nbsp;Phishing)(Citat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;PCMag&nbsp;FakeLogin)&nbsp;The&nbsp;given&nbsp;website&nbsp;may&nbsp;be&nbsp;a&nbsp;clone&nbsp;of&nbsp;a&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;PCMag&nbsp;FakeLogin)&nbsp;The&nbsp;given&nbsp;website&nbsp;may&nbsp;be&nbsp;a&nbsp;clone&nbsp;of&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">legitimate&nbsp;site&nbsp;(such&nbsp;as&nbsp;an&nbsp;online&nbsp;or&nbsp;corporate&nbsp;login&nbsp;portal</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">legitimate&nbsp;site&nbsp;(such&nbsp;as&nbsp;an&nbsp;online&nbsp;or&nbsp;corporate&nbsp;login&nbsp;portal</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;or&nbsp;may&nbsp;closely&nbsp;resemble&nbsp;a&nbsp;legitimate&nbsp;site&nbsp;in&nbsp;appearance&nbsp;an</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;or&nbsp;may&nbsp;closely&nbsp;resemble&nbsp;a&nbsp;legitimate&nbsp;site&nbsp;in&nbsp;appearance&nbsp;an</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;have&nbsp;a&nbsp;URL&nbsp;containing&nbsp;elements&nbsp;from&nbsp;the&nbsp;real&nbsp;site.&nbsp;<span class=\"diff_chg\">&nbsp;A</span>dv<span class=\"diff_chg\">ers</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;have&nbsp;a&nbsp;URL&nbsp;containing&nbsp;elements&nbsp;from&nbsp;the&nbsp;real&nbsp;site.&nbsp;<span class=\"diff_chg\">URLs&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">aries&nbsp;may&nbsp;also&nbsp;lin</span>k<span class=\"diff_chg\">&nbsp;to&nbsp;\"web&nbsp;bugs\"&nbsp;or&nbsp;\"web&nbsp;beacons\"&nbsp;within&nbsp;ph</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">y&nbsp;also&nbsp;be&nbsp;obfuscated&nbsp;by&nbsp;taking&nbsp;a</span>dv<span class=\"diff_chg\">antage&nbsp;of&nbsp;quir</span>k<span class=\"diff_chg\">s&nbsp;in&nbsp;the&nbsp;UR</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ishing&nbsp;messages&nbsp;to&nbsp;verify&nbsp;the&nbsp;receipt&nbsp;of&nbsp;an&nbsp;email</span>,&nbsp;<span class=\"diff_chg\">while&nbsp;als</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">L&nbsp;schema</span>,&nbsp;<span class=\"diff_chg\">such&nbsp;as&nbsp;the&nbsp;acceptance&nbsp;of&nbsp;integer-&nbsp;or&nbsp;hexadecimal-</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">o&nbsp;potentially&nbsp;profiling&nbsp;and&nbsp;tracking&nbsp;victim&nbsp;information&nbsp;such</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">based&nbsp;hostname&nbsp;formats&nbsp;and&nbsp;the&nbsp;automatic&nbsp;discarding&nbsp;of&nbsp;text&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">&nbsp;as&nbsp;IP&nbsp;address</span>.(Citation:&nbsp;NIST&nbsp;Web&nbsp;Bug)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;als</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">before&nbsp;an&nbsp;\u201c@\u201d&nbsp;symbol:&nbsp;for&nbsp;example,&nbsp;`hxxp://google.com@115758</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;be&nbsp;able&nbsp;to&nbsp;spoof&nbsp;a&nbsp;complete&nbsp;website&nbsp;using&nbsp;what&nbsp;is&nbsp;known&nbsp;as</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">6937`</span>.(Citation:<span class=\"diff_add\">&nbsp;Mandiant&nbsp;URL&nbsp;Obfuscation&nbsp;2023)&nbsp;&nbsp;Adversaries</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;a&nbsp;\"browser-in-the-browser\"&nbsp;(BitB)&nbsp;attack.&nbsp;By&nbsp;generating&nbsp;a&nbsp;f</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;may&nbsp;also&nbsp;link&nbsp;to&nbsp;\"web&nbsp;bugs\"&nbsp;or&nbsp;\"web&nbsp;beacons\"&nbsp;within&nbsp;phishin</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ake&nbsp;browser&nbsp;popup&nbsp;window&nbsp;with&nbsp;an&nbsp;HTML-based&nbsp;address&nbsp;bar&nbsp;that</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g&nbsp;messages&nbsp;to&nbsp;verify&nbsp;the&nbsp;receipt&nbsp;of&nbsp;an&nbsp;email,&nbsp;while&nbsp;also&nbsp;pot</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;appears&nbsp;to&nbsp;contain&nbsp;a&nbsp;legitimate&nbsp;URL&nbsp;(such&nbsp;as&nbsp;an&nbsp;authenticat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">entially&nbsp;profiling&nbsp;and&nbsp;tracking&nbsp;victim&nbsp;information&nbsp;such&nbsp;as&nbsp;I</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion&nbsp;portal),&nbsp;they&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;prompt&nbsp;users&nbsp;to&nbsp;enter&nbsp;their</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">P&nbsp;address.(Citation:</span>&nbsp;NIST&nbsp;Web&nbsp;Bug)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;be&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;credentials&nbsp;while&nbsp;bypassing&nbsp;typical&nbsp;URL&nbsp;verification&nbsp;method</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">able&nbsp;to&nbsp;spoof&nbsp;a&nbsp;complete&nbsp;website&nbsp;using&nbsp;what&nbsp;is&nbsp;known&nbsp;as&nbsp;a&nbsp;\"b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.(Citation:&nbsp;ZScaler&nbsp;BitB&nbsp;2020)(Citation:&nbsp;Mr.&nbsp;D0x&nbsp;BitB&nbsp;2022)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rowser-in-the-browser\"&nbsp;(BitB)&nbsp;attack.&nbsp;By&nbsp;generating&nbsp;a&nbsp;fake&nbsp;b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;F<span class=\"diff_chg\">rom&nbsp;the&nbsp;fa</span>k<span class=\"diff_chg\">e</span>&nbsp;website,&nbsp;information&nbsp;is&nbsp;gathered&nbsp;in&nbsp;web&nbsp;form</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rowser&nbsp;popup&nbsp;window&nbsp;with&nbsp;an&nbsp;HTML-based&nbsp;address&nbsp;bar&nbsp;that&nbsp;appe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;and&nbsp;sent&nbsp;to&nbsp;the&nbsp;adversary.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;inform</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ars&nbsp;to&nbsp;contain&nbsp;a&nbsp;legitimate&nbsp;URL&nbsp;(such&nbsp;as&nbsp;an&nbsp;authentication&nbsp;p</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ation&nbsp;from&nbsp;previous&nbsp;reconnaissance&nbsp;efforts&nbsp;(ex:&nbsp;[Search&nbsp;Open</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ortal),&nbsp;they&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;prompt&nbsp;users&nbsp;to&nbsp;enter&nbsp;their&nbsp;cred</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Websites/Domains](https://attack.mitre.org/techniques/T1593</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">entials&nbsp;while&nbsp;bypassing&nbsp;typical&nbsp;URL&nbsp;verification&nbsp;methods.(Ci</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;or&nbsp;[Search&nbsp;Victim-Owned&nbsp;Websites](https://attack.mitre.org</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tation:&nbsp;ZScaler&nbsp;BitB&nbsp;2020)(Citation:&nbsp;Mr.&nbsp;D0x&nbsp;BitB&nbsp;2022)&nbsp;&nbsp;<span class=\"diff_add\">Adv</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/techniques/T1594))&nbsp;to&nbsp;craft&nbsp;persuasive&nbsp;and&nbsp;believable&nbsp;lures</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ersaries&nbsp;can&nbsp;use&nbsp;phishing&nbsp;kits&nbsp;such&nbsp;as&nbsp;`EvilProxy`&nbsp;and&nbsp;`Evil</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ginx2`&nbsp;to&nbsp;proxy&nbsp;the&nbsp;connection&nbsp;between&nbsp;the&nbsp;victim&nbsp;and&nbsp;the&nbsp;le</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">gitimate&nbsp;website.&nbsp;On&nbsp;a&nbsp;successful&nbsp;login,&nbsp;the&nbsp;victim&nbsp;is&nbsp;redir</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ected&nbsp;to&nbsp;the&nbsp;legitimate&nbsp;website,&nbsp;while&nbsp;the&nbsp;adversary&nbsp;capture</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;their&nbsp;session&nbsp;cookie&nbsp;(i.e.,&nbsp;[Steal&nbsp;Web&nbsp;Session&nbsp;Cookie](htt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps://attack.mitre.org/techniques/T1539))&nbsp;in&nbsp;addition&nbsp;to&nbsp;thei</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">r&nbsp;username&nbsp;and&nbsp;password.&nbsp;This&nbsp;may&nbsp;enable&nbsp;the&nbsp;adversary&nbsp;to&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">en&nbsp;bypass&nbsp;M</span>F<span class=\"diff_chg\">A&nbsp;via&nbsp;[Web&nbsp;Session&nbsp;Coo</span>k<span class=\"diff_chg\">ie](https://attack.mitre.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">org/techniques/T1550/004).(Citation:&nbsp;Proofpoint&nbsp;Human&nbsp;Factor</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">)&nbsp;&nbsp;From&nbsp;the&nbsp;fake</span>&nbsp;website,&nbsp;information&nbsp;is&nbsp;gathered&nbsp;in&nbsp;web&nbsp;for</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ms&nbsp;and&nbsp;sent&nbsp;to&nbsp;the&nbsp;adversary.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;infor</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mation&nbsp;from&nbsp;previous&nbsp;reconnaissance&nbsp;efforts&nbsp;(ex:&nbsp;[Search&nbsp;Ope</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;Websites/Domains](https://attack.mitre.org/techniques/T159</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">3)&nbsp;or&nbsp;[Search&nbsp;Victim-Owned&nbsp;Websites](https://attack.mitre.or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g/techniques/T1594))&nbsp;to&nbsp;craft&nbsp;persuasive&nbsp;and&nbsp;believable&nbsp;lure</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to28__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to28__0\"><a href=\"#difflib_chg_to28__top\">t</a></td><td class=\"diff_header\" id=\"from28_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;messages&nbsp;with&nbsp;a&nbsp;malicious</td><td class=\"diff_next\"><a href=\"#difflib_chg_to28__top\">t</a></td><td class=\"diff_header\" id=\"to28_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;send&nbsp;spearphishing&nbsp;messages&nbsp;with&nbsp;a&nbsp;malicious</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;link&nbsp;to&nbsp;elicit&nbsp;sensitive&nbsp;information&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;durin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;link&nbsp;to&nbsp;elicit&nbsp;sensitive&nbsp;information&nbsp;that&nbsp;can&nbsp;be&nbsp;used&nbsp;durin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;targeting.&nbsp;Spearphishing&nbsp;for&nbsp;information&nbsp;is&nbsp;an&nbsp;attempt&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;targeting.&nbsp;Spearphishing&nbsp;for&nbsp;information&nbsp;is&nbsp;an&nbsp;attempt&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trick&nbsp;targets&nbsp;into&nbsp;divulging&nbsp;information,&nbsp;frequently&nbsp;credent</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trick&nbsp;targets&nbsp;into&nbsp;divulging&nbsp;information,&nbsp;frequently&nbsp;credent</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ials&nbsp;or&nbsp;other&nbsp;actionable&nbsp;information.&nbsp;Spearphishing&nbsp;for&nbsp;info</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ials&nbsp;or&nbsp;other&nbsp;actionable&nbsp;information.&nbsp;Spearphishing&nbsp;for&nbsp;info</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rmation&nbsp;frequently&nbsp;involves&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rmation&nbsp;frequently&nbsp;involves&nbsp;social&nbsp;engineering&nbsp;techniques,&nbsp;s</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;source&nbsp;with&nbsp;a&nbsp;reason&nbsp;to&nbsp;collect&nbsp;informati</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;posing&nbsp;as&nbsp;a&nbsp;source&nbsp;with&nbsp;a&nbsp;reason&nbsp;to&nbsp;collect&nbsp;informati</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">on&nbsp;(ex:&nbsp;[Establish&nbsp;Accounts](https://attack.mitre.org/techni</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">on&nbsp;(ex:&nbsp;[Establish&nbsp;Accounts](https://attack.mitre.org/techni</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ques/T1585)&nbsp;or&nbsp;[Compromise&nbsp;Accounts](https://attack.mitre.or</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ques/T1585)&nbsp;or&nbsp;[Compromise&nbsp;Accounts](https://attack.mitre.or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g/techniques/T1586))&nbsp;and/or&nbsp;sending&nbsp;multiple,&nbsp;seemingly&nbsp;urge</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g/techniques/T1586))&nbsp;and/or&nbsp;sending&nbsp;multiple,&nbsp;seemingly&nbsp;urge</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt&nbsp;messages.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;are&nbsp;electronically&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nt&nbsp;messages.&nbsp;&nbsp;All&nbsp;forms&nbsp;of&nbsp;spearphishing&nbsp;are&nbsp;electronically&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;at&nbsp;a&nbsp;specific&nbsp;individu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">delivered&nbsp;social&nbsp;engineering&nbsp;targeted&nbsp;at&nbsp;a&nbsp;specific&nbsp;individu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">al,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;scenario,&nbsp;the&nbsp;malicious&nbsp;em</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">al,&nbsp;company,&nbsp;or&nbsp;industry.&nbsp;In&nbsp;this&nbsp;scenario,&nbsp;the&nbsp;malicious&nbsp;em</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ails&nbsp;contain&nbsp;links&nbsp;generally&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineeri</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ails&nbsp;contain&nbsp;links&nbsp;generally&nbsp;accompanied&nbsp;by&nbsp;social&nbsp;engineeri</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;text&nbsp;to&nbsp;coax&nbsp;the&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;text&nbsp;to&nbsp;coax&nbsp;the&nbsp;user&nbsp;to&nbsp;actively&nbsp;click&nbsp;or&nbsp;copy&nbsp;and&nbsp;paste</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;browser.(Citation:&nbsp;TrendMictro&nbsp;Phishing)(Citat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;a&nbsp;URL&nbsp;into&nbsp;a&nbsp;browser.(Citation:&nbsp;TrendMictro&nbsp;Phishing)(Citat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;PCMag&nbsp;FakeLogin)&nbsp;The&nbsp;given&nbsp;website&nbsp;may&nbsp;be&nbsp;a&nbsp;clone&nbsp;of&nbsp;a&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion:&nbsp;PCMag&nbsp;FakeLogin)&nbsp;The&nbsp;given&nbsp;website&nbsp;may&nbsp;be&nbsp;a&nbsp;clone&nbsp;of&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">legitimate&nbsp;site&nbsp;(such&nbsp;as&nbsp;an&nbsp;online&nbsp;or&nbsp;corporate&nbsp;login&nbsp;portal</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">legitimate&nbsp;site&nbsp;(such&nbsp;as&nbsp;an&nbsp;online&nbsp;or&nbsp;corporate&nbsp;login&nbsp;portal</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;or&nbsp;may&nbsp;closely&nbsp;resemble&nbsp;a&nbsp;legitimate&nbsp;site&nbsp;in&nbsp;appearance&nbsp;an</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;or&nbsp;may&nbsp;closely&nbsp;resemble&nbsp;a&nbsp;legitimate&nbsp;site&nbsp;in&nbsp;appearance&nbsp;an</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;have&nbsp;a&nbsp;URL&nbsp;containing&nbsp;elements&nbsp;from&nbsp;the&nbsp;real&nbsp;site.&nbsp;<span class=\"diff_chg\">&nbsp;A</span>dv<span class=\"diff_chg\">ers</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;have&nbsp;a&nbsp;URL&nbsp;containing&nbsp;elements&nbsp;from&nbsp;the&nbsp;real&nbsp;site.&nbsp;<span class=\"diff_chg\">URLs&nbsp;ma</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">aries&nbsp;may&nbsp;also&nbsp;lin</span>k<span class=\"diff_chg\">&nbsp;to&nbsp;\"web&nbsp;bugs\"&nbsp;or&nbsp;\"web&nbsp;beacons\"&nbsp;within&nbsp;ph</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">y&nbsp;also&nbsp;be&nbsp;obfuscated&nbsp;by&nbsp;taking&nbsp;a</span>dv<span class=\"diff_chg\">antage&nbsp;of&nbsp;quir</span>k<span class=\"diff_chg\">s&nbsp;in&nbsp;the&nbsp;UR</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ishing&nbsp;messages&nbsp;to&nbsp;verify&nbsp;the&nbsp;receipt&nbsp;of&nbsp;an&nbsp;email</span>,&nbsp;<span class=\"diff_chg\">while&nbsp;als</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">L&nbsp;schema</span>,&nbsp;<span class=\"diff_chg\">such&nbsp;as&nbsp;the&nbsp;acceptance&nbsp;of&nbsp;integer-&nbsp;or&nbsp;hexadecimal-</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">o&nbsp;potentially&nbsp;profiling&nbsp;and&nbsp;tracking&nbsp;victim&nbsp;information&nbsp;such</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">based&nbsp;hostname&nbsp;formats&nbsp;and&nbsp;the&nbsp;automatic&nbsp;discarding&nbsp;of&nbsp;text&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">&nbsp;as&nbsp;IP&nbsp;address</span>.(Citation:&nbsp;NIST&nbsp;Web&nbsp;Bug)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;als</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">before&nbsp;an&nbsp;\u201c@\u201d&nbsp;symbol:&nbsp;for&nbsp;example,&nbsp;`hxxp://google.com@115758</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;be&nbsp;able&nbsp;to&nbsp;spoof&nbsp;a&nbsp;complete&nbsp;website&nbsp;using&nbsp;what&nbsp;is&nbsp;known&nbsp;as</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">6937`</span>.(Citation:<span class=\"diff_add\">&nbsp;Mandiant&nbsp;URL&nbsp;Obfuscation&nbsp;2023)&nbsp;&nbsp;Adversaries</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;a&nbsp;\"browser-in-the-browser\"&nbsp;(BitB)&nbsp;attack.&nbsp;By&nbsp;generating&nbsp;a&nbsp;f</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;may&nbsp;also&nbsp;link&nbsp;to&nbsp;\"web&nbsp;bugs\"&nbsp;or&nbsp;\"web&nbsp;beacons\"&nbsp;within&nbsp;phishin</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ake&nbsp;browser&nbsp;popup&nbsp;window&nbsp;with&nbsp;an&nbsp;HTML-based&nbsp;address&nbsp;bar&nbsp;that</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">g&nbsp;messages&nbsp;to&nbsp;verify&nbsp;the&nbsp;receipt&nbsp;of&nbsp;an&nbsp;email,&nbsp;while&nbsp;also&nbsp;pot</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;appears&nbsp;to&nbsp;contain&nbsp;a&nbsp;legitimate&nbsp;URL&nbsp;(such&nbsp;as&nbsp;an&nbsp;authenticat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">entially&nbsp;profiling&nbsp;and&nbsp;tracking&nbsp;victim&nbsp;information&nbsp;such&nbsp;as&nbsp;I</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion&nbsp;portal),&nbsp;they&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;prompt&nbsp;users&nbsp;to&nbsp;enter&nbsp;their</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">P&nbsp;address.(Citation:</span>&nbsp;NIST&nbsp;Web&nbsp;Bug)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;be&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;credentials&nbsp;while&nbsp;bypassing&nbsp;typical&nbsp;URL&nbsp;verification&nbsp;method</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">able&nbsp;to&nbsp;spoof&nbsp;a&nbsp;complete&nbsp;website&nbsp;using&nbsp;what&nbsp;is&nbsp;known&nbsp;as&nbsp;a&nbsp;\"b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.(Citation:&nbsp;ZScaler&nbsp;BitB&nbsp;2020)(Citation:&nbsp;Mr.&nbsp;D0x&nbsp;BitB&nbsp;2022)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rowser-in-the-browser\"&nbsp;(BitB)&nbsp;attack.&nbsp;By&nbsp;generating&nbsp;a&nbsp;fake&nbsp;b</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;F<span class=\"diff_chg\">rom&nbsp;the&nbsp;fa</span>k<span class=\"diff_chg\">e</span>&nbsp;website,&nbsp;information&nbsp;is&nbsp;gathered&nbsp;in&nbsp;web&nbsp;form</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rowser&nbsp;popup&nbsp;window&nbsp;with&nbsp;an&nbsp;HTML-based&nbsp;address&nbsp;bar&nbsp;that&nbsp;appe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;and&nbsp;sent&nbsp;to&nbsp;the&nbsp;adversary.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;inform</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ars&nbsp;to&nbsp;contain&nbsp;a&nbsp;legitimate&nbsp;URL&nbsp;(such&nbsp;as&nbsp;an&nbsp;authentication&nbsp;p</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ation&nbsp;from&nbsp;previous&nbsp;reconnaissance&nbsp;efforts&nbsp;(ex:&nbsp;[Search&nbsp;Open</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ortal),&nbsp;they&nbsp;may&nbsp;be&nbsp;able&nbsp;to&nbsp;prompt&nbsp;users&nbsp;to&nbsp;enter&nbsp;their&nbsp;cred</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Websites/Domains](https://attack.mitre.org/techniques/T1593</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">entials&nbsp;while&nbsp;bypassing&nbsp;typical&nbsp;URL&nbsp;verification&nbsp;methods.(Ci</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)&nbsp;or&nbsp;[Search&nbsp;Victim-Owned&nbsp;Websites](https://attack.mitre.org</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tation:&nbsp;ZScaler&nbsp;BitB&nbsp;2020)(Citation:&nbsp;Mr.&nbsp;D0x&nbsp;BitB&nbsp;2022)&nbsp;&nbsp;<span class=\"diff_add\">Adv</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/techniques/T1594))&nbsp;to&nbsp;craft&nbsp;persuasive&nbsp;and&nbsp;believable&nbsp;lures</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ersaries&nbsp;can&nbsp;use&nbsp;phishing&nbsp;kits&nbsp;such&nbsp;as&nbsp;`EvilProxy`&nbsp;and&nbsp;`Evil</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ginx2`&nbsp;to&nbsp;proxy&nbsp;the&nbsp;connection&nbsp;between&nbsp;the&nbsp;victim&nbsp;and&nbsp;the&nbsp;le</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">gitimate&nbsp;website.&nbsp;On&nbsp;a&nbsp;successful&nbsp;login,&nbsp;the&nbsp;victim&nbsp;is&nbsp;redir</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ected&nbsp;to&nbsp;the&nbsp;legitimate&nbsp;website,&nbsp;while&nbsp;the&nbsp;adversary&nbsp;capture</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;their&nbsp;session&nbsp;cookie&nbsp;(i.e.,&nbsp;[Steal&nbsp;Web&nbsp;Session&nbsp;Cookie](htt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps://attack.mitre.org/techniques/T1539))&nbsp;in&nbsp;addition&nbsp;to&nbsp;thei</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">r&nbsp;username&nbsp;and&nbsp;password.&nbsp;This&nbsp;may&nbsp;enable&nbsp;the&nbsp;adversary&nbsp;to&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">en&nbsp;bypass&nbsp;M</span>F<span class=\"diff_chg\">A&nbsp;via&nbsp;[Web&nbsp;Session&nbsp;Coo</span>k<span class=\"diff_chg\">ie](https://attack.mitre.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">org/techniques/T1550/004).(Citation:&nbsp;Proofpoint&nbsp;Human&nbsp;Factor</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">)&nbsp;&nbsp;From&nbsp;the&nbsp;fake</span>&nbsp;website,&nbsp;information&nbsp;is&nbsp;gathered&nbsp;in&nbsp;web&nbsp;for</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ms&nbsp;and&nbsp;sent&nbsp;to&nbsp;the&nbsp;adversary.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;infor</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mation&nbsp;from&nbsp;previous&nbsp;reconnaissance&nbsp;efforts&nbsp;(ex:&nbsp;[Search&nbsp;Ope</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;Websites/Domains](https://attack.mitre.org/techniques/T159</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">3)&nbsp;or&nbsp;[Search&nbsp;Victim-Owned&nbsp;Websites](https://attack.mitre.or</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g/techniques/T1594))&nbsp;to&nbsp;craft&nbsp;persuasive&nbsp;and&nbsp;believable&nbsp;lure</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1017: User Training",
@@ -10142,7 +10142,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-28 16:23:51.194000+00:00\", \"old_value\": \"2022-04-21 14:54:10.899000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\\n\\nRemote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\\n \\nAdversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\\n\\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\", \"old_value\": \"An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land)\\n\\nRemote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\\n\\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land)\\n+An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\\n \\n-Remote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\\n+Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\\n+ \\n+Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\\n \\n-Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\\n+Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}",
                     "previous_version": "2.1",
                     "version_change": "2.1 \u2192 2.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to23__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to23__0\"><a href=\"#difflib_chg_to23__top\">t</a></td><td class=\"diff_header\" id=\"from23_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;legitimate&nbsp;desktop&nbsp;support&nbsp;and&nbsp;remote&nbsp;a</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to23__top\">t</a></td><td class=\"diff_header\" id=\"to23_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;legitimate&nbsp;desktop&nbsp;support&nbsp;and&nbsp;remote&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ccess&nbsp;software,&nbsp;such&nbsp;as&nbsp;Team&nbsp;Viewer,&nbsp;AnyDesk,&nbsp;Go2Assist,&nbsp;Log</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ccess&nbsp;software&nbsp;to&nbsp;establish&nbsp;an&nbsp;interactive&nbsp;command&nbsp;and&nbsp;contr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Mein,&nbsp;AmmyyAdmin,&nbsp;etc,&nbsp;to&nbsp;establish&nbsp;an&nbsp;interactive&nbsp;command&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ol&nbsp;channel&nbsp;to&nbsp;target&nbsp;systems&nbsp;within&nbsp;networks.&nbsp;These&nbsp;services</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nd&nbsp;control&nbsp;channel&nbsp;to&nbsp;target&nbsp;systems&nbsp;within&nbsp;networks.&nbsp;These&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">,&nbsp;such&nbsp;as&nbsp;`VNC`,&nbsp;`Team&nbsp;Viewer`,&nbsp;`AnyDesk`,&nbsp;`ScreenConnect`,&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">services&nbsp;are&nbsp;commonly&nbsp;used&nbsp;as&nbsp;legitimate&nbsp;technical&nbsp;support&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">`LogMein`,&nbsp;`AmmyyAdmin`,&nbsp;and&nbsp;other&nbsp;remote&nbsp;monitoring&nbsp;and&nbsp;man</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">oftware,&nbsp;and&nbsp;may&nbsp;be&nbsp;allowed&nbsp;by&nbsp;application&nbsp;control&nbsp;within&nbsp;a&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">agement&nbsp;(RMM)&nbsp;tools,&nbsp;are&nbsp;commonly&nbsp;used&nbsp;as&nbsp;legitimate&nbsp;technic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">target&nbsp;environment.&nbsp;Remote&nbsp;access&nbsp;tools&nbsp;like&nbsp;VNC,&nbsp;Ammyy,&nbsp;and</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">al&nbsp;support&nbsp;software&nbsp;and&nbsp;may&nbsp;be&nbsp;allowed&nbsp;by&nbsp;application&nbsp;contro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Teamviewer&nbsp;are&nbsp;used&nbsp;frequently&nbsp;when&nbsp;compared&nbsp;with&nbsp;other&nbsp;leg</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">l&nbsp;within&nbsp;a&nbsp;target&nbsp;environment.(Citation:&nbsp;Symantec&nbsp;Living&nbsp;off</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">itimate&nbsp;software&nbsp;commonly&nbsp;used&nbsp;by&nbsp;adversaries.(Citation:&nbsp;Sym</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;the&nbsp;Land)(Citation:&nbsp;CrowdStrike&nbsp;2015&nbsp;Global&nbsp;Threat&nbsp;Report)(</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">antec&nbsp;Living&nbsp;off&nbsp;the&nbsp;Land)&nbsp;&nbsp;Remote&nbsp;access&nbsp;tools&nbsp;may&nbsp;be&nbsp;insta</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Citation:&nbsp;CrySyS&nbsp;Blog&nbsp;TeamSpy)&nbsp;&nbsp;Remote&nbsp;access&nbsp;software&nbsp;may&nbsp;b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lled&nbsp;and&nbsp;used&nbsp;post-compromise&nbsp;as&nbsp;alternate&nbsp;communications&nbsp;ch</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;installed&nbsp;and&nbsp;used&nbsp;post-compromise&nbsp;as&nbsp;an&nbsp;alternate&nbsp;communi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">annel&nbsp;for&nbsp;redundant&nbsp;access&nbsp;or&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;establish&nbsp;an&nbsp;inter</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cations&nbsp;channel&nbsp;for&nbsp;redundant&nbsp;access&nbsp;or&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;establis</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">active&nbsp;remote&nbsp;desktop&nbsp;session&nbsp;with&nbsp;the&nbsp;target&nbsp;system.&nbsp;They&nbsp;m</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">h&nbsp;an&nbsp;interactive&nbsp;remote&nbsp;desktop&nbsp;session&nbsp;with&nbsp;the&nbsp;target&nbsp;syst</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ay&nbsp;also&nbsp;be&nbsp;used&nbsp;as&nbsp;a&nbsp;component&nbsp;of&nbsp;malware&nbsp;to&nbsp;establish&nbsp;a&nbsp;rev</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">em.&nbsp;They&nbsp;may&nbsp;also&nbsp;be&nbsp;used&nbsp;as&nbsp;a&nbsp;component&nbsp;of&nbsp;malware&nbsp;to&nbsp;estab</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">erse&nbsp;connection&nbsp;or&nbsp;back-connect&nbsp;to&nbsp;a&nbsp;service&nbsp;or&nbsp;adversary&nbsp;co</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lish&nbsp;a&nbsp;reverse&nbsp;connection&nbsp;or&nbsp;back-connect&nbsp;to&nbsp;a&nbsp;service&nbsp;or&nbsp;ad</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ntrolled&nbsp;system.&nbsp;Installation&nbsp;of&nbsp;many&nbsp;remote&nbsp;access&nbsp;tools&nbsp;ma</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">versary&nbsp;controlled&nbsp;system.&nbsp;&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;similarly&nbsp;abuse</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;also&nbsp;include&nbsp;persistence&nbsp;(ex:&nbsp;the&nbsp;tool's&nbsp;installation&nbsp;rout</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;response&nbsp;features&nbsp;included&nbsp;in&nbsp;EDR&nbsp;and&nbsp;other&nbsp;defensive&nbsp;tools</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ine&nbsp;creates&nbsp;a&nbsp;[Windows&nbsp;Service](https://attack.mitre.org/tec</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;that&nbsp;enable&nbsp;remote&nbsp;access.&nbsp;&nbsp;Installation&nbsp;of&nbsp;many&nbsp;remote&nbsp;acc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">hniques/T1543/003)).&nbsp;&nbsp;Admin&nbsp;tools&nbsp;such&nbsp;as&nbsp;TeamViewer&nbsp;have&nbsp;be</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ess&nbsp;software&nbsp;may&nbsp;also&nbsp;include&nbsp;persistence&nbsp;(e.g.,&nbsp;the&nbsp;softwar</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">en&nbsp;used&nbsp;by&nbsp;several&nbsp;groups&nbsp;targeting&nbsp;institutions&nbsp;in&nbsp;countrie</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e's&nbsp;installation&nbsp;routine&nbsp;creates&nbsp;a&nbsp;[Windows&nbsp;Service](https:/</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;of&nbsp;interest&nbsp;to&nbsp;the&nbsp;Russian&nbsp;state&nbsp;and&nbsp;criminal&nbsp;campaigns.(C</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">/attack.mitre.org/techniques/T1543/003)).</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">itation:&nbsp;CrowdStrike&nbsp;2015&nbsp;Global&nbsp;Threat&nbsp;Report)(Citation:&nbsp;Cr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ySyS&nbsp;Blog&nbsp;TeamSpy)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to33__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to33__0\"><a href=\"#difflib_chg_to33__top\">t</a></td><td class=\"diff_header\" id=\"from33_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;legitimate&nbsp;desktop&nbsp;support&nbsp;and&nbsp;remote&nbsp;a</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to33__top\">t</a></td><td class=\"diff_header\" id=\"to33_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;legitimate&nbsp;desktop&nbsp;support&nbsp;and&nbsp;remote&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ccess&nbsp;software,&nbsp;such&nbsp;as&nbsp;Team&nbsp;Viewer,&nbsp;AnyDesk,&nbsp;Go2Assist,&nbsp;Log</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ccess&nbsp;software&nbsp;to&nbsp;establish&nbsp;an&nbsp;interactive&nbsp;command&nbsp;and&nbsp;contr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Mein,&nbsp;AmmyyAdmin,&nbsp;etc,&nbsp;to&nbsp;establish&nbsp;an&nbsp;interactive&nbsp;command&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ol&nbsp;channel&nbsp;to&nbsp;target&nbsp;systems&nbsp;within&nbsp;networks.&nbsp;These&nbsp;services</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nd&nbsp;control&nbsp;channel&nbsp;to&nbsp;target&nbsp;systems&nbsp;within&nbsp;networks.&nbsp;These&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">,&nbsp;such&nbsp;as&nbsp;`VNC`,&nbsp;`Team&nbsp;Viewer`,&nbsp;`AnyDesk`,&nbsp;`ScreenConnect`,&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">services&nbsp;are&nbsp;commonly&nbsp;used&nbsp;as&nbsp;legitimate&nbsp;technical&nbsp;support&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">`LogMein`,&nbsp;`AmmyyAdmin`,&nbsp;and&nbsp;other&nbsp;remote&nbsp;monitoring&nbsp;and&nbsp;man</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">oftware,&nbsp;and&nbsp;may&nbsp;be&nbsp;allowed&nbsp;by&nbsp;application&nbsp;control&nbsp;within&nbsp;a&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">agement&nbsp;(RMM)&nbsp;tools,&nbsp;are&nbsp;commonly&nbsp;used&nbsp;as&nbsp;legitimate&nbsp;technic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">target&nbsp;environment.&nbsp;Remote&nbsp;access&nbsp;tools&nbsp;like&nbsp;VNC,&nbsp;Ammyy,&nbsp;and</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">al&nbsp;support&nbsp;software&nbsp;and&nbsp;may&nbsp;be&nbsp;allowed&nbsp;by&nbsp;application&nbsp;contro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Teamviewer&nbsp;are&nbsp;used&nbsp;frequently&nbsp;when&nbsp;compared&nbsp;with&nbsp;other&nbsp;leg</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">l&nbsp;within&nbsp;a&nbsp;target&nbsp;environment.(Citation:&nbsp;Symantec&nbsp;Living&nbsp;off</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">itimate&nbsp;software&nbsp;commonly&nbsp;used&nbsp;by&nbsp;adversaries.(Citation:&nbsp;Sym</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;the&nbsp;Land)(Citation:&nbsp;CrowdStrike&nbsp;2015&nbsp;Global&nbsp;Threat&nbsp;Report)(</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">antec&nbsp;Living&nbsp;off&nbsp;the&nbsp;Land)&nbsp;&nbsp;Remote&nbsp;access&nbsp;tools&nbsp;may&nbsp;be&nbsp;insta</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Citation:&nbsp;CrySyS&nbsp;Blog&nbsp;TeamSpy)&nbsp;&nbsp;Remote&nbsp;access&nbsp;software&nbsp;may&nbsp;b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lled&nbsp;and&nbsp;used&nbsp;post-compromise&nbsp;as&nbsp;alternate&nbsp;communications&nbsp;ch</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;installed&nbsp;and&nbsp;used&nbsp;post-compromise&nbsp;as&nbsp;an&nbsp;alternate&nbsp;communi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">annel&nbsp;for&nbsp;redundant&nbsp;access&nbsp;or&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;establish&nbsp;an&nbsp;inter</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cations&nbsp;channel&nbsp;for&nbsp;redundant&nbsp;access&nbsp;or&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;establis</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">active&nbsp;remote&nbsp;desktop&nbsp;session&nbsp;with&nbsp;the&nbsp;target&nbsp;system.&nbsp;They&nbsp;m</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">h&nbsp;an&nbsp;interactive&nbsp;remote&nbsp;desktop&nbsp;session&nbsp;with&nbsp;the&nbsp;target&nbsp;syst</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ay&nbsp;also&nbsp;be&nbsp;used&nbsp;as&nbsp;a&nbsp;component&nbsp;of&nbsp;malware&nbsp;to&nbsp;establish&nbsp;a&nbsp;rev</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">em.&nbsp;They&nbsp;may&nbsp;also&nbsp;be&nbsp;used&nbsp;as&nbsp;a&nbsp;component&nbsp;of&nbsp;malware&nbsp;to&nbsp;estab</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">erse&nbsp;connection&nbsp;or&nbsp;back-connect&nbsp;to&nbsp;a&nbsp;service&nbsp;or&nbsp;adversary&nbsp;co</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lish&nbsp;a&nbsp;reverse&nbsp;connection&nbsp;or&nbsp;back-connect&nbsp;to&nbsp;a&nbsp;service&nbsp;or&nbsp;ad</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ntrolled&nbsp;system.&nbsp;Installation&nbsp;of&nbsp;many&nbsp;remote&nbsp;access&nbsp;tools&nbsp;ma</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">versary&nbsp;controlled&nbsp;system.&nbsp;&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;similarly&nbsp;abuse</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y&nbsp;also&nbsp;include&nbsp;persistence&nbsp;(ex:&nbsp;the&nbsp;tool's&nbsp;installation&nbsp;rout</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;response&nbsp;features&nbsp;included&nbsp;in&nbsp;EDR&nbsp;and&nbsp;other&nbsp;defensive&nbsp;tools</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ine&nbsp;creates&nbsp;a&nbsp;[Windows&nbsp;Service](https://attack.mitre.org/tec</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;that&nbsp;enable&nbsp;remote&nbsp;access.&nbsp;&nbsp;Installation&nbsp;of&nbsp;many&nbsp;remote&nbsp;acc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">hniques/T1543/003)).&nbsp;&nbsp;Admin&nbsp;tools&nbsp;such&nbsp;as&nbsp;TeamViewer&nbsp;have&nbsp;be</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ess&nbsp;software&nbsp;may&nbsp;also&nbsp;include&nbsp;persistence&nbsp;(e.g.,&nbsp;the&nbsp;softwar</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">en&nbsp;used&nbsp;by&nbsp;several&nbsp;groups&nbsp;targeting&nbsp;institutions&nbsp;in&nbsp;countrie</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e's&nbsp;installation&nbsp;routine&nbsp;creates&nbsp;a&nbsp;[Windows&nbsp;Service](https:/</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;of&nbsp;interest&nbsp;to&nbsp;the&nbsp;Russian&nbsp;state&nbsp;and&nbsp;criminal&nbsp;campaigns.(C</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">/attack.mitre.org/techniques/T1543/003)).</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">itation:&nbsp;CrowdStrike&nbsp;2015&nbsp;Global&nbsp;Threat&nbsp;Report)(Citation:&nbsp;Cr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ySyS&nbsp;Blog&nbsp;TeamSpy)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1031: Network Intrusion Prevention",
@@ -11038,7 +11038,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-02 01:11:32.822000+00:00\", \"old_value\": \"2022-04-18 20:16:44.560000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \\n\\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\\n\\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it\\u2019s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\\n\\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)\", \"old_value\": \"Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. \\n\\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\\n\\nAdditionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it\\u2019s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\\n\\nAdversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR)\", \"diff\": \"--- \\n+++ \\n@@ -1,7 +1,7 @@\\n-Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. \\n+Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. \\n \\n One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\\n \\n Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it\\u2019s not competing for resources.(Citation: Trend Micro War of Crypto Miners)\\n \\n-Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR)\\n+Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.4\", \"old_value\": \"1.3\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Sysdig Proxyjacking\", \"description\": \"Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.\", \"url\": \"https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\"}, \"root['x_mitre_contributors'][6]\": \"Goldstein Menachem\"}}",
                     "previous_version": "1.3",
                     "version_change": "1.3 \u2192 1.4",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to31__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to31__0\"><a href=\"#difflib_chg_to31__top\">t</a></td><td class=\"diff_header\" id=\"from31_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;leverage&nbsp;the&nbsp;resources&nbsp;of&nbsp;co-opted&nbsp;systems&nbsp;i</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to31__top\">t</a></td><td class=\"diff_header\" id=\"to31_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;leverage&nbsp;the&nbsp;resources&nbsp;of&nbsp;co-opted&nbsp;systems&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n&nbsp;order&nbsp;to&nbsp;solve&nbsp;resource&nbsp;intensive&nbsp;problems,&nbsp;which&nbsp;may&nbsp;impa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;complete&nbsp;resource-intensive&nbsp;tasks,&nbsp;which&nbsp;may&nbsp;impact&nbsp;system</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ct&nbsp;system&nbsp;and/or&nbsp;hosted&nbsp;service&nbsp;availability.&nbsp;&nbsp;&nbsp;One&nbsp;common&nbsp;p</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;and/or&nbsp;hosted&nbsp;service&nbsp;availability.&nbsp;&nbsp;&nbsp;One&nbsp;common&nbsp;purpose&nbsp;fo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">urpose&nbsp;for&nbsp;Resource&nbsp;Hijacking&nbsp;is&nbsp;to&nbsp;validate&nbsp;transactions&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">r&nbsp;Resource&nbsp;Hijacking&nbsp;is&nbsp;to&nbsp;validate&nbsp;transactions&nbsp;of&nbsp;cryptocu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;cryptocurrency&nbsp;networks&nbsp;and&nbsp;earn&nbsp;virtual&nbsp;currency.&nbsp;Adversar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rrency&nbsp;networks&nbsp;and&nbsp;earn&nbsp;virtual&nbsp;currency.&nbsp;Adversaries&nbsp;may&nbsp;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ies&nbsp;may&nbsp;consume&nbsp;enough&nbsp;system&nbsp;resources&nbsp;to&nbsp;negatively&nbsp;impact</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">onsume&nbsp;enough&nbsp;system&nbsp;resources&nbsp;to&nbsp;negatively&nbsp;impact&nbsp;and/or&nbsp;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;and/or&nbsp;cause&nbsp;affected&nbsp;machines&nbsp;to&nbsp;become&nbsp;unresponsive.(Cita</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ause&nbsp;affected&nbsp;machines&nbsp;to&nbsp;become&nbsp;unresponsive.(Citation:&nbsp;Kas</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tion:&nbsp;Kaspersky&nbsp;Lazarus&nbsp;Under&nbsp;The&nbsp;Hood&nbsp;Blog&nbsp;2017)&nbsp;Servers&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">persky&nbsp;Lazarus&nbsp;Under&nbsp;The&nbsp;Hood&nbsp;Blog&nbsp;2017)&nbsp;Servers&nbsp;and&nbsp;cloud-b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;cloud-based&nbsp;systems&nbsp;are&nbsp;common&nbsp;targets&nbsp;because&nbsp;of&nbsp;the&nbsp;high</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ased&nbsp;systems&nbsp;are&nbsp;common&nbsp;targets&nbsp;because&nbsp;of&nbsp;the&nbsp;high&nbsp;potentia</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;potential&nbsp;for&nbsp;available&nbsp;resources,&nbsp;but&nbsp;user&nbsp;endpoint&nbsp;system</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">l&nbsp;for&nbsp;available&nbsp;resources,&nbsp;but&nbsp;user&nbsp;endpoint&nbsp;systems&nbsp;may&nbsp;als</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;may&nbsp;also&nbsp;be&nbsp;compromised&nbsp;and&nbsp;used&nbsp;for&nbsp;Resource&nbsp;Hijacking&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;be&nbsp;compromised&nbsp;and&nbsp;used&nbsp;for&nbsp;Resource&nbsp;Hijacking&nbsp;and&nbsp;cryptoc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;cryptocurrency&nbsp;mining.(Citation:&nbsp;CloudSploit&nbsp;-&nbsp;Unused&nbsp;AWS&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urrency&nbsp;mining.(Citation:&nbsp;CloudSploit&nbsp;-&nbsp;Unused&nbsp;AWS&nbsp;Regions)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Regions)&nbsp;Containerized&nbsp;environments&nbsp;may&nbsp;also&nbsp;be&nbsp;targeted&nbsp;due</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Containerized&nbsp;environments&nbsp;may&nbsp;also&nbsp;be&nbsp;targeted&nbsp;due&nbsp;to&nbsp;the&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;to&nbsp;the&nbsp;ease&nbsp;of&nbsp;deployment&nbsp;via&nbsp;exposed&nbsp;APIs&nbsp;and&nbsp;the&nbsp;potentia</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ase&nbsp;of&nbsp;deployment&nbsp;via&nbsp;exposed&nbsp;APIs&nbsp;and&nbsp;the&nbsp;potential&nbsp;for&nbsp;sca</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">l&nbsp;for&nbsp;scaling&nbsp;mining&nbsp;activities&nbsp;by&nbsp;deploying&nbsp;or&nbsp;compromising</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ling&nbsp;mining&nbsp;activities&nbsp;by&nbsp;deploying&nbsp;or&nbsp;compromising&nbsp;multiple</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;multiple&nbsp;containers&nbsp;within&nbsp;an&nbsp;environment&nbsp;or&nbsp;cluster.(Citat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;containers&nbsp;within&nbsp;an&nbsp;environment&nbsp;or&nbsp;cluster.(Citation:&nbsp;Unit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ion:&nbsp;Unit&nbsp;42&nbsp;Hildegard&nbsp;Malware)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;Expose</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;42&nbsp;Hildegard&nbsp;Malware)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;Exposed&nbsp;Docker&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;Docker&nbsp;APIs)&nbsp;&nbsp;Additionally,&nbsp;some&nbsp;cryptocurrency&nbsp;mining&nbsp;mal</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">APIs)&nbsp;&nbsp;Additionally,&nbsp;some&nbsp;cryptocurrency&nbsp;mining&nbsp;malware&nbsp;iden</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ware&nbsp;identify&nbsp;then&nbsp;kill&nbsp;off&nbsp;processes&nbsp;for&nbsp;competing&nbsp;malware&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tify&nbsp;then&nbsp;kill&nbsp;off&nbsp;processes&nbsp;for&nbsp;competing&nbsp;malware&nbsp;to&nbsp;ensure</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">to&nbsp;ensure&nbsp;it\u2019s&nbsp;not&nbsp;competing&nbsp;for&nbsp;resources.(Citation:&nbsp;Trend&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;it\u2019s&nbsp;not&nbsp;competing&nbsp;for&nbsp;resources.(Citation:&nbsp;Trend&nbsp;Micro&nbsp;War</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Micro&nbsp;War&nbsp;of&nbsp;Crypto&nbsp;Miners)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;malwar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;of&nbsp;Crypto&nbsp;Miners)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;malware&nbsp;that&nbsp;le</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;that&nbsp;leverages&nbsp;a&nbsp;system's&nbsp;network&nbsp;bandwidth&nbsp;as&nbsp;part&nbsp;of&nbsp;a&nbsp;b</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">verages&nbsp;a&nbsp;system's&nbsp;network&nbsp;bandwidth&nbsp;as&nbsp;part&nbsp;of&nbsp;a&nbsp;botnet&nbsp;in&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">otnet&nbsp;in&nbsp;order&nbsp;to&nbsp;facilitate&nbsp;[Network&nbsp;Denial&nbsp;of&nbsp;Service](htt</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">order&nbsp;to&nbsp;facilitate&nbsp;[Network&nbsp;Denial&nbsp;of&nbsp;Service](https://atta</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ps://attack.mitre.org/techniques/T1498)&nbsp;campaigns&nbsp;and/or&nbsp;to&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ck.mitre.org/techniques/T1498)&nbsp;campaigns&nbsp;and/or&nbsp;to&nbsp;seed&nbsp;mali</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">seed&nbsp;malicious&nbsp;torrents.(Citation:&nbsp;GoBotKR)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cious&nbsp;torrents.(Citation:&nbsp;GoBotKR)&nbsp;Alternatively,&nbsp;they&nbsp;may&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ngage&nbsp;in&nbsp;proxyjacking&nbsp;by&nbsp;selling&nbsp;use&nbsp;of&nbsp;the&nbsp;victims'&nbsp;network</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;bandwidth&nbsp;and&nbsp;IP&nbsp;address&nbsp;to&nbsp;proxyware&nbsp;services.(Citation:&nbsp;S</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ysdig&nbsp;Proxyjacking)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to3__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to3__0\"><a href=\"#difflib_chg_to3__top\">t</a></td><td class=\"diff_header\" id=\"from3_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;leverage&nbsp;the&nbsp;resources&nbsp;of&nbsp;co-opted&nbsp;systems&nbsp;i</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to3__top\">t</a></td><td class=\"diff_header\" id=\"to3_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;leverage&nbsp;the&nbsp;resources&nbsp;of&nbsp;co-opted&nbsp;systems&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">n&nbsp;order&nbsp;to&nbsp;solve&nbsp;resource&nbsp;intensive&nbsp;problems,&nbsp;which&nbsp;may&nbsp;impa</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;complete&nbsp;resource-intensive&nbsp;tasks,&nbsp;which&nbsp;may&nbsp;impact&nbsp;system</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ct&nbsp;system&nbsp;and/or&nbsp;hosted&nbsp;service&nbsp;availability.&nbsp;&nbsp;&nbsp;One&nbsp;common&nbsp;p</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;and/or&nbsp;hosted&nbsp;service&nbsp;availability.&nbsp;&nbsp;&nbsp;One&nbsp;common&nbsp;purpose&nbsp;fo</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">urpose&nbsp;for&nbsp;Resource&nbsp;Hijacking&nbsp;is&nbsp;to&nbsp;validate&nbsp;transactions&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">r&nbsp;Resource&nbsp;Hijacking&nbsp;is&nbsp;to&nbsp;validate&nbsp;transactions&nbsp;of&nbsp;cryptocu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;cryptocurrency&nbsp;networks&nbsp;and&nbsp;earn&nbsp;virtual&nbsp;currency.&nbsp;Adversar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rrency&nbsp;networks&nbsp;and&nbsp;earn&nbsp;virtual&nbsp;currency.&nbsp;Adversaries&nbsp;may&nbsp;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ies&nbsp;may&nbsp;consume&nbsp;enough&nbsp;system&nbsp;resources&nbsp;to&nbsp;negatively&nbsp;impact</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">onsume&nbsp;enough&nbsp;system&nbsp;resources&nbsp;to&nbsp;negatively&nbsp;impact&nbsp;and/or&nbsp;c</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;and/or&nbsp;cause&nbsp;affected&nbsp;machines&nbsp;to&nbsp;become&nbsp;unresponsive.(Cita</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ause&nbsp;affected&nbsp;machines&nbsp;to&nbsp;become&nbsp;unresponsive.(Citation:&nbsp;Kas</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tion:&nbsp;Kaspersky&nbsp;Lazarus&nbsp;Under&nbsp;The&nbsp;Hood&nbsp;Blog&nbsp;2017)&nbsp;Servers&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">persky&nbsp;Lazarus&nbsp;Under&nbsp;The&nbsp;Hood&nbsp;Blog&nbsp;2017)&nbsp;Servers&nbsp;and&nbsp;cloud-b</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;cloud-based&nbsp;systems&nbsp;are&nbsp;common&nbsp;targets&nbsp;because&nbsp;of&nbsp;the&nbsp;high</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ased&nbsp;systems&nbsp;are&nbsp;common&nbsp;targets&nbsp;because&nbsp;of&nbsp;the&nbsp;high&nbsp;potentia</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;potential&nbsp;for&nbsp;available&nbsp;resources,&nbsp;but&nbsp;user&nbsp;endpoint&nbsp;system</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">l&nbsp;for&nbsp;available&nbsp;resources,&nbsp;but&nbsp;user&nbsp;endpoint&nbsp;systems&nbsp;may&nbsp;als</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;may&nbsp;also&nbsp;be&nbsp;compromised&nbsp;and&nbsp;used&nbsp;for&nbsp;Resource&nbsp;Hijacking&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;be&nbsp;compromised&nbsp;and&nbsp;used&nbsp;for&nbsp;Resource&nbsp;Hijacking&nbsp;and&nbsp;cryptoc</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;cryptocurrency&nbsp;mining.(Citation:&nbsp;CloudSploit&nbsp;-&nbsp;Unused&nbsp;AWS&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urrency&nbsp;mining.(Citation:&nbsp;CloudSploit&nbsp;-&nbsp;Unused&nbsp;AWS&nbsp;Regions)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Regions)&nbsp;Containerized&nbsp;environments&nbsp;may&nbsp;also&nbsp;be&nbsp;targeted&nbsp;due</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Containerized&nbsp;environments&nbsp;may&nbsp;also&nbsp;be&nbsp;targeted&nbsp;due&nbsp;to&nbsp;the&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;to&nbsp;the&nbsp;ease&nbsp;of&nbsp;deployment&nbsp;via&nbsp;exposed&nbsp;APIs&nbsp;and&nbsp;the&nbsp;potentia</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ase&nbsp;of&nbsp;deployment&nbsp;via&nbsp;exposed&nbsp;APIs&nbsp;and&nbsp;the&nbsp;potential&nbsp;for&nbsp;sca</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">l&nbsp;for&nbsp;scaling&nbsp;mining&nbsp;activities&nbsp;by&nbsp;deploying&nbsp;or&nbsp;compromising</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ling&nbsp;mining&nbsp;activities&nbsp;by&nbsp;deploying&nbsp;or&nbsp;compromising&nbsp;multiple</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;multiple&nbsp;containers&nbsp;within&nbsp;an&nbsp;environment&nbsp;or&nbsp;cluster.(Citat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;containers&nbsp;within&nbsp;an&nbsp;environment&nbsp;or&nbsp;cluster.(Citation:&nbsp;Unit</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ion:&nbsp;Unit&nbsp;42&nbsp;Hildegard&nbsp;Malware)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;Expose</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;42&nbsp;Hildegard&nbsp;Malware)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;Exposed&nbsp;Docker&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;Docker&nbsp;APIs)&nbsp;&nbsp;Additionally,&nbsp;some&nbsp;cryptocurrency&nbsp;mining&nbsp;mal</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">APIs)&nbsp;&nbsp;Additionally,&nbsp;some&nbsp;cryptocurrency&nbsp;mining&nbsp;malware&nbsp;iden</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ware&nbsp;identify&nbsp;then&nbsp;kill&nbsp;off&nbsp;processes&nbsp;for&nbsp;competing&nbsp;malware&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tify&nbsp;then&nbsp;kill&nbsp;off&nbsp;processes&nbsp;for&nbsp;competing&nbsp;malware&nbsp;to&nbsp;ensure</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">to&nbsp;ensure&nbsp;it\u2019s&nbsp;not&nbsp;competing&nbsp;for&nbsp;resources.(Citation:&nbsp;Trend&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;it\u2019s&nbsp;not&nbsp;competing&nbsp;for&nbsp;resources.(Citation:&nbsp;Trend&nbsp;Micro&nbsp;War</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Micro&nbsp;War&nbsp;of&nbsp;Crypto&nbsp;Miners)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;malwar</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;of&nbsp;Crypto&nbsp;Miners)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;use&nbsp;malware&nbsp;that&nbsp;le</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;that&nbsp;leverages&nbsp;a&nbsp;system's&nbsp;network&nbsp;bandwidth&nbsp;as&nbsp;part&nbsp;of&nbsp;a&nbsp;b</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">verages&nbsp;a&nbsp;system's&nbsp;network&nbsp;bandwidth&nbsp;as&nbsp;part&nbsp;of&nbsp;a&nbsp;botnet&nbsp;in&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">otnet&nbsp;in&nbsp;order&nbsp;to&nbsp;facilitate&nbsp;[Network&nbsp;Denial&nbsp;of&nbsp;Service](htt</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">order&nbsp;to&nbsp;facilitate&nbsp;[Network&nbsp;Denial&nbsp;of&nbsp;Service](https://atta</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ps://attack.mitre.org/techniques/T1498)&nbsp;campaigns&nbsp;and/or&nbsp;to&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ck.mitre.org/techniques/T1498)&nbsp;campaigns&nbsp;and/or&nbsp;to&nbsp;seed&nbsp;mali</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">seed&nbsp;malicious&nbsp;torrents.(Citation:&nbsp;GoBotKR)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cious&nbsp;torrents.(Citation:&nbsp;GoBotKR)&nbsp;Alternatively,&nbsp;they&nbsp;may&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ngage&nbsp;in&nbsp;proxyjacking&nbsp;by&nbsp;selling&nbsp;use&nbsp;of&nbsp;the&nbsp;victims'&nbsp;network</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;bandwidth&nbsp;and&nbsp;IP&nbsp;address&nbsp;to&nbsp;proxyware&nbsp;services.(Citation:&nbsp;S</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ysdig&nbsp;Proxyjacking)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [],
                         "new": [],
@@ -11417,7 +11417,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 11:56:26.862000+00:00\", \"old_value\": \"2021-07-27 16:43:25.027000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\\n\\nEach <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.\\n\\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)\", \"old_value\": \"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\\n\\nEach <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.\\n\\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.\\n \\n-An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.\\n+An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.(Citation: Falcon Sandbox smp: 28553b3a9d)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"Falcon Sandbox smp: 28553b3a9d\", \"description\": \"Hybrid Analysis. (2018, July 11). HybridAnalsysis of sample 28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7. Retrieved September 8, 2023.\", \"url\": \"https://www.hybrid-analysis.com/sample/28553b3a9d2ad4361d33d29ac4bf771d008e0073cec01b5561c6348a608f8dd7?environmentId=300\"}}}",
                     "previous_version": "1.1",
                     "version_change": "1.1 \u2192 1.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to37__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to37__0\"><a href=\"#difflib_chg_to37__top\">t</a></td><td class=\"diff_header\" id=\"from37_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;abuse&nbsp;systemd&nbsp;timers&nbsp;to&nbsp;perform&nbsp;task&nbsp;schedul</td><td class=\"diff_next\"><a href=\"#difflib_chg_to37__top\">t</a></td><td class=\"diff_header\" id=\"to37_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;abuse&nbsp;systemd&nbsp;timers&nbsp;to&nbsp;perform&nbsp;task&nbsp;schedul</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;for&nbsp;initial&nbsp;or&nbsp;recurring&nbsp;execution&nbsp;of&nbsp;malicious&nbsp;code.&nbsp;Sy</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;for&nbsp;initial&nbsp;or&nbsp;recurring&nbsp;execution&nbsp;of&nbsp;malicious&nbsp;code.&nbsp;Sy</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stemd&nbsp;timers&nbsp;are&nbsp;unit&nbsp;files&nbsp;with&nbsp;file&nbsp;extension&nbsp;&lt;code&gt;.timer</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stemd&nbsp;timers&nbsp;are&nbsp;unit&nbsp;files&nbsp;with&nbsp;file&nbsp;extension&nbsp;&lt;code&gt;.timer</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&lt;/code&gt;&nbsp;that&nbsp;control&nbsp;services.&nbsp;Timers&nbsp;can&nbsp;be&nbsp;set&nbsp;to&nbsp;run&nbsp;on&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&lt;/code&gt;&nbsp;that&nbsp;control&nbsp;services.&nbsp;Timers&nbsp;can&nbsp;be&nbsp;set&nbsp;to&nbsp;run&nbsp;on&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;calendar&nbsp;event&nbsp;or&nbsp;after&nbsp;a&nbsp;time&nbsp;span&nbsp;relative&nbsp;to&nbsp;a&nbsp;starting&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;calendar&nbsp;event&nbsp;or&nbsp;after&nbsp;a&nbsp;time&nbsp;span&nbsp;relative&nbsp;to&nbsp;a&nbsp;starting&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">point.&nbsp;They&nbsp;can&nbsp;be&nbsp;used&nbsp;as&nbsp;an&nbsp;alternative&nbsp;to&nbsp;[Cron](https://</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">point.&nbsp;They&nbsp;can&nbsp;be&nbsp;used&nbsp;as&nbsp;an&nbsp;alternative&nbsp;to&nbsp;[Cron](https://</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">attack.mitre.org/techniques/T1053/003)&nbsp;in&nbsp;Linux&nbsp;environments</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">attack.mitre.org/techniques/T1053/003)&nbsp;in&nbsp;Linux&nbsp;environments</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.(Citation:&nbsp;archlinux&nbsp;Systemd&nbsp;Timers&nbsp;Aug&nbsp;2020)&nbsp;Systemd&nbsp;timer</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.(Citation:&nbsp;archlinux&nbsp;Systemd&nbsp;Timers&nbsp;Aug&nbsp;2020)&nbsp;Systemd&nbsp;timer</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;may&nbsp;be&nbsp;activated&nbsp;remotely&nbsp;via&nbsp;the&nbsp;&lt;code&gt;systemctl&lt;/code&gt;&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;may&nbsp;be&nbsp;activated&nbsp;remotely&nbsp;via&nbsp;the&nbsp;&lt;code&gt;systemctl&lt;/code&gt;&nbsp;c</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ommand&nbsp;line&nbsp;utility,&nbsp;which&nbsp;operates&nbsp;over&nbsp;[SSH](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ommand&nbsp;line&nbsp;utility,&nbsp;which&nbsp;operates&nbsp;over&nbsp;[SSH](https://attac</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1021/004).(Citation:&nbsp;Systemd&nbsp;Remote&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1021/004).(Citation:&nbsp;Systemd&nbsp;Remote&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Control)&nbsp;&nbsp;Each&nbsp;&lt;code&gt;.timer&lt;/code&gt;&nbsp;file&nbsp;must&nbsp;have&nbsp;a&nbsp;correspo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Control)&nbsp;&nbsp;Each&nbsp;&lt;code&gt;.timer&lt;/code&gt;&nbsp;file&nbsp;must&nbsp;have&nbsp;a&nbsp;correspo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nding&nbsp;&lt;code&gt;.service&lt;/code&gt;&nbsp;file&nbsp;with&nbsp;the&nbsp;same&nbsp;name,&nbsp;e.g.,&nbsp;&lt;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nding&nbsp;&lt;code&gt;.service&lt;/code&gt;&nbsp;file&nbsp;with&nbsp;the&nbsp;same&nbsp;name,&nbsp;e.g.,&nbsp;&lt;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">code&gt;example.timer&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;example.service&lt;/code&gt;.&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">code&gt;example.timer&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;example.service&lt;/code&gt;.&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&lt;code&gt;.service&lt;/code&gt;&nbsp;files&nbsp;are&nbsp;[Systemd&nbsp;Service](https://at</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&lt;code&gt;.service&lt;/code&gt;&nbsp;files&nbsp;are&nbsp;[Systemd&nbsp;Service](https://at</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tack.mitre.org/techniques/T1543/002)&nbsp;unit&nbsp;files&nbsp;that&nbsp;are&nbsp;man</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tack.mitre.org/techniques/T1543/002)&nbsp;unit&nbsp;files&nbsp;that&nbsp;are&nbsp;man</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">aged&nbsp;by&nbsp;the&nbsp;systemd&nbsp;system&nbsp;and&nbsp;service&nbsp;manager.(Citation:&nbsp;Li</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">aged&nbsp;by&nbsp;the&nbsp;systemd&nbsp;system&nbsp;and&nbsp;service&nbsp;manager.(Citation:&nbsp;Li</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nux&nbsp;man-pages:&nbsp;systemd&nbsp;January&nbsp;2014)&nbsp;Privileged&nbsp;timers&nbsp;are&nbsp;w</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nux&nbsp;man-pages:&nbsp;systemd&nbsp;January&nbsp;2014)&nbsp;Privileged&nbsp;timers&nbsp;are&nbsp;w</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ritten&nbsp;to&nbsp;&lt;code&gt;/etc/systemd/system/&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;/usr/l</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ritten&nbsp;to&nbsp;&lt;code&gt;/etc/systemd/system/&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;/usr/l</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ib/systemd/system&lt;/code&gt;&nbsp;while&nbsp;user&nbsp;level&nbsp;are&nbsp;written&nbsp;to&nbsp;&lt;co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ib/systemd/system&lt;/code&gt;&nbsp;while&nbsp;user&nbsp;level&nbsp;are&nbsp;written&nbsp;to&nbsp;&lt;co</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">de&gt;~/.config/systemd/user/&lt;/code&gt;.&nbsp;&nbsp;An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;sys</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">de&gt;~/.config/systemd/user/&lt;/code&gt;.&nbsp;&nbsp;An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;sys</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">temd&nbsp;timers&nbsp;to&nbsp;execute&nbsp;malicious&nbsp;code&nbsp;at&nbsp;system&nbsp;startup&nbsp;or&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">temd&nbsp;timers&nbsp;to&nbsp;execute&nbsp;malicious&nbsp;code&nbsp;at&nbsp;system&nbsp;startup&nbsp;or&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;a&nbsp;scheduled&nbsp;basis&nbsp;for&nbsp;persistence.(Citation:&nbsp;Arch&nbsp;Linux&nbsp;Pa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;a&nbsp;scheduled&nbsp;basis&nbsp;for&nbsp;persistence.(Citation:&nbsp;Arch&nbsp;Linux&nbsp;Pa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ckage&nbsp;Systemd&nbsp;Compromise&nbsp;BleepingComputer&nbsp;10JUL2018)(Citatio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ckage&nbsp;Systemd&nbsp;Compromise&nbsp;BleepingComputer&nbsp;10JUL2018)(Citatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;gist&nbsp;Arch&nbsp;package&nbsp;compromise&nbsp;10JUL2018)(Citation:&nbsp;acrorea</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;gist&nbsp;Arch&nbsp;package&nbsp;compromise&nbsp;10JUL2018)(Citation:&nbsp;acrorea</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;package&nbsp;compromised&nbsp;Arch&nbsp;Linux&nbsp;Mail&nbsp;8JUL2018)&nbsp;Timers&nbsp;insta</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;package&nbsp;compromised&nbsp;Arch&nbsp;Linux&nbsp;Mail&nbsp;8JUL2018)&nbsp;Timers&nbsp;insta</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lled&nbsp;using&nbsp;privileged&nbsp;paths&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;maintain&nbsp;root&nbsp;lev</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lled&nbsp;using&nbsp;privileged&nbsp;paths&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;maintain&nbsp;root&nbsp;lev</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">el&nbsp;persistence.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;install&nbsp;user&nbsp;level&nbsp;time</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">el&nbsp;persistence.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;install&nbsp;user&nbsp;level&nbsp;time</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rs&nbsp;to&nbsp;achieve&nbsp;user&nbsp;level&nbsp;persistence.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rs&nbsp;to&nbsp;achieve&nbsp;user&nbsp;level&nbsp;persistence.<span class=\"diff_add\">(Citation:&nbsp;Falcon&nbsp;Sandb</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ox&nbsp;smp:&nbsp;28553b3a9d)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to21__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to21__0\"><a href=\"#difflib_chg_to21__top\">t</a></td><td class=\"diff_header\" id=\"from21_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;abuse&nbsp;systemd&nbsp;timers&nbsp;to&nbsp;perform&nbsp;task&nbsp;schedul</td><td class=\"diff_next\"><a href=\"#difflib_chg_to21__top\">t</a></td><td class=\"diff_header\" id=\"to21_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;abuse&nbsp;systemd&nbsp;timers&nbsp;to&nbsp;perform&nbsp;task&nbsp;schedul</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;for&nbsp;initial&nbsp;or&nbsp;recurring&nbsp;execution&nbsp;of&nbsp;malicious&nbsp;code.&nbsp;Sy</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;for&nbsp;initial&nbsp;or&nbsp;recurring&nbsp;execution&nbsp;of&nbsp;malicious&nbsp;code.&nbsp;Sy</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stemd&nbsp;timers&nbsp;are&nbsp;unit&nbsp;files&nbsp;with&nbsp;file&nbsp;extension&nbsp;&lt;code&gt;.timer</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stemd&nbsp;timers&nbsp;are&nbsp;unit&nbsp;files&nbsp;with&nbsp;file&nbsp;extension&nbsp;&lt;code&gt;.timer</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&lt;/code&gt;&nbsp;that&nbsp;control&nbsp;services.&nbsp;Timers&nbsp;can&nbsp;be&nbsp;set&nbsp;to&nbsp;run&nbsp;on&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&lt;/code&gt;&nbsp;that&nbsp;control&nbsp;services.&nbsp;Timers&nbsp;can&nbsp;be&nbsp;set&nbsp;to&nbsp;run&nbsp;on&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;calendar&nbsp;event&nbsp;or&nbsp;after&nbsp;a&nbsp;time&nbsp;span&nbsp;relative&nbsp;to&nbsp;a&nbsp;starting&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;calendar&nbsp;event&nbsp;or&nbsp;after&nbsp;a&nbsp;time&nbsp;span&nbsp;relative&nbsp;to&nbsp;a&nbsp;starting&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">point.&nbsp;They&nbsp;can&nbsp;be&nbsp;used&nbsp;as&nbsp;an&nbsp;alternative&nbsp;to&nbsp;[Cron](https://</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">point.&nbsp;They&nbsp;can&nbsp;be&nbsp;used&nbsp;as&nbsp;an&nbsp;alternative&nbsp;to&nbsp;[Cron](https://</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">attack.mitre.org/techniques/T1053/003)&nbsp;in&nbsp;Linux&nbsp;environments</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">attack.mitre.org/techniques/T1053/003)&nbsp;in&nbsp;Linux&nbsp;environments</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.(Citation:&nbsp;archlinux&nbsp;Systemd&nbsp;Timers&nbsp;Aug&nbsp;2020)&nbsp;Systemd&nbsp;timer</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.(Citation:&nbsp;archlinux&nbsp;Systemd&nbsp;Timers&nbsp;Aug&nbsp;2020)&nbsp;Systemd&nbsp;timer</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;may&nbsp;be&nbsp;activated&nbsp;remotely&nbsp;via&nbsp;the&nbsp;&lt;code&gt;systemctl&lt;/code&gt;&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;may&nbsp;be&nbsp;activated&nbsp;remotely&nbsp;via&nbsp;the&nbsp;&lt;code&gt;systemctl&lt;/code&gt;&nbsp;c</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ommand&nbsp;line&nbsp;utility,&nbsp;which&nbsp;operates&nbsp;over&nbsp;[SSH](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ommand&nbsp;line&nbsp;utility,&nbsp;which&nbsp;operates&nbsp;over&nbsp;[SSH](https://attac</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1021/004).(Citation:&nbsp;Systemd&nbsp;Remote&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/techniques/T1021/004).(Citation:&nbsp;Systemd&nbsp;Remote&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Control)&nbsp;&nbsp;Each&nbsp;&lt;code&gt;.timer&lt;/code&gt;&nbsp;file&nbsp;must&nbsp;have&nbsp;a&nbsp;correspo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Control)&nbsp;&nbsp;Each&nbsp;&lt;code&gt;.timer&lt;/code&gt;&nbsp;file&nbsp;must&nbsp;have&nbsp;a&nbsp;correspo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nding&nbsp;&lt;code&gt;.service&lt;/code&gt;&nbsp;file&nbsp;with&nbsp;the&nbsp;same&nbsp;name,&nbsp;e.g.,&nbsp;&lt;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nding&nbsp;&lt;code&gt;.service&lt;/code&gt;&nbsp;file&nbsp;with&nbsp;the&nbsp;same&nbsp;name,&nbsp;e.g.,&nbsp;&lt;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">code&gt;example.timer&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;example.service&lt;/code&gt;.&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">code&gt;example.timer&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;example.service&lt;/code&gt;.&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&lt;code&gt;.service&lt;/code&gt;&nbsp;files&nbsp;are&nbsp;[Systemd&nbsp;Service](https://at</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&lt;code&gt;.service&lt;/code&gt;&nbsp;files&nbsp;are&nbsp;[Systemd&nbsp;Service](https://at</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tack.mitre.org/techniques/T1543/002)&nbsp;unit&nbsp;files&nbsp;that&nbsp;are&nbsp;man</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tack.mitre.org/techniques/T1543/002)&nbsp;unit&nbsp;files&nbsp;that&nbsp;are&nbsp;man</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">aged&nbsp;by&nbsp;the&nbsp;systemd&nbsp;system&nbsp;and&nbsp;service&nbsp;manager.(Citation:&nbsp;Li</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">aged&nbsp;by&nbsp;the&nbsp;systemd&nbsp;system&nbsp;and&nbsp;service&nbsp;manager.(Citation:&nbsp;Li</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nux&nbsp;man-pages:&nbsp;systemd&nbsp;January&nbsp;2014)&nbsp;Privileged&nbsp;timers&nbsp;are&nbsp;w</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nux&nbsp;man-pages:&nbsp;systemd&nbsp;January&nbsp;2014)&nbsp;Privileged&nbsp;timers&nbsp;are&nbsp;w</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ritten&nbsp;to&nbsp;&lt;code&gt;/etc/systemd/system/&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;/usr/l</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ritten&nbsp;to&nbsp;&lt;code&gt;/etc/systemd/system/&lt;/code&gt;&nbsp;and&nbsp;&lt;code&gt;/usr/l</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ib/systemd/system&lt;/code&gt;&nbsp;while&nbsp;user&nbsp;level&nbsp;are&nbsp;written&nbsp;to&nbsp;&lt;co</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ib/systemd/system&lt;/code&gt;&nbsp;while&nbsp;user&nbsp;level&nbsp;are&nbsp;written&nbsp;to&nbsp;&lt;co</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">de&gt;~/.config/systemd/user/&lt;/code&gt;.&nbsp;&nbsp;An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;sys</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">de&gt;~/.config/systemd/user/&lt;/code&gt;.&nbsp;&nbsp;An&nbsp;adversary&nbsp;may&nbsp;use&nbsp;sys</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">temd&nbsp;timers&nbsp;to&nbsp;execute&nbsp;malicious&nbsp;code&nbsp;at&nbsp;system&nbsp;startup&nbsp;or&nbsp;o</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">temd&nbsp;timers&nbsp;to&nbsp;execute&nbsp;malicious&nbsp;code&nbsp;at&nbsp;system&nbsp;startup&nbsp;or&nbsp;o</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;a&nbsp;scheduled&nbsp;basis&nbsp;for&nbsp;persistence.(Citation:&nbsp;Arch&nbsp;Linux&nbsp;Pa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;a&nbsp;scheduled&nbsp;basis&nbsp;for&nbsp;persistence.(Citation:&nbsp;Arch&nbsp;Linux&nbsp;Pa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ckage&nbsp;Systemd&nbsp;Compromise&nbsp;BleepingComputer&nbsp;10JUL2018)(Citatio</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ckage&nbsp;Systemd&nbsp;Compromise&nbsp;BleepingComputer&nbsp;10JUL2018)(Citatio</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;gist&nbsp;Arch&nbsp;package&nbsp;compromise&nbsp;10JUL2018)(Citation:&nbsp;acrorea</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n:&nbsp;gist&nbsp;Arch&nbsp;package&nbsp;compromise&nbsp;10JUL2018)(Citation:&nbsp;acrorea</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;package&nbsp;compromised&nbsp;Arch&nbsp;Linux&nbsp;Mail&nbsp;8JUL2018)&nbsp;Timers&nbsp;insta</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;package&nbsp;compromised&nbsp;Arch&nbsp;Linux&nbsp;Mail&nbsp;8JUL2018)&nbsp;Timers&nbsp;insta</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lled&nbsp;using&nbsp;privileged&nbsp;paths&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;maintain&nbsp;root&nbsp;lev</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lled&nbsp;using&nbsp;privileged&nbsp;paths&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;maintain&nbsp;root&nbsp;lev</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">el&nbsp;persistence.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;install&nbsp;user&nbsp;level&nbsp;time</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">el&nbsp;persistence.&nbsp;Adversaries&nbsp;may&nbsp;also&nbsp;install&nbsp;user&nbsp;level&nbsp;time</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rs&nbsp;to&nbsp;achieve&nbsp;user&nbsp;level&nbsp;persistence.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rs&nbsp;to&nbsp;achieve&nbsp;user&nbsp;level&nbsp;persistence.<span class=\"diff_add\">(Citation:&nbsp;Falcon&nbsp;Sandb</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ox&nbsp;smp:&nbsp;28553b3a9d)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1018: User Account Management",
@@ -11513,7 +11513,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-12 21:17:14.868000+00:00\", \"old_value\": \"2022-04-19 20:31:10.657000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\\n\\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\\n\\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)\\n\\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)\", \"old_value\": \"Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like <code>CreateProcess</code>, <code>LoadLibrary</code>, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)\\n\\nThe module loader can load DLLs:\\n\\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\\n    \\n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\\n    \\n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\\n    \\n* via <code>&#x3c;file name=\\\"filename.extension\\\" loadFrom=\\\"fully-qualified or relative pathname\\\"&#x3e;</code> in an embedded or external \\\"application manifest\\\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\\n\\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.\", \"diff\": \"--- \\n+++ \\n@@ -1,13 +1,7 @@\\n-Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like <code>CreateProcess</code>, <code>LoadLibrary</code>, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)\\n+Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).\\n \\n-The module loader can load DLLs:\\n+Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\\n \\n-* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\\n-    \\n-* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\\n-    \\n-* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\\n-    \\n-* via <code>&#x3c;file name=\\\"filename.extension\\\" loadFrom=\\\"fully-qualified or relative pathname\\\"&#x3e;</code> in an embedded or external \\\"application manifest\\\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\\n+The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)\\n \\n-Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.\\n+The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"RotaJakiro 2021 netlab360 analysis\", \"old_value\": \"Wikipedia Windows Library Files\"}, \"root['external_references'][1]['description']\": {\"new_value\": \" Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.\", \"old_value\": \"Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/\", \"old_value\": \"https://en.wikipedia.org/wiki/Microsoft_Windows_library_files\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. \\n\\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.\", \"old_value\": \"Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to <code>%SystemRoot%</code> and <code>%ProgramFiles%</code> directories will protect against module loads from unsafe paths. \\n\\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to <code>%SystemRoot%</code> and <code>%ProgramFiles%</code> directories will protect against module loads from unsafe paths. \\n+Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. \\n \\n Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Apple Dev Dynamic Libraries\", \"description\": \"Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.\", \"url\": \"https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html\"}, \"root['external_references'][3]\": {\"source_name\": \"Unit42 OceanLotus 2017\", \"description\": \"Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.\", \"url\": \"https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/\"}, \"root['external_references'][4]\": {\"source_name\": \"Microsoft DLL\", \"description\": \"Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.\", \"url\": \"https://learn.microsoft.com/troubleshoot/windows-client/deployment/dynamic-link-library\"}, \"root['external_references'][5]\": {\"source_name\": \"Linux Shared Libraries\", \"description\": \"Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.\", \"url\": \"https://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html\"}, \"root['x_mitre_platforms'][1]\": \"macOS\", \"root['x_mitre_platforms'][2]\": \"Linux\"}}",
                     "previous_version": "2.1",
                     "version_change": "2.1 \u2192 2.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to39__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to39__0\"><a href=\"#difflib_chg_to39__top\">t</a></td><td class=\"diff_header\" id=\"from39_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;via&nbsp;loading&nbsp;share</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to39__top\">t</a></td><td class=\"diff_header\" id=\"to39_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;via&nbsp;loading&nbsp;share</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;modules.&nbsp;The&nbsp;Windows&nbsp;module&nbsp;loader&nbsp;can&nbsp;be&nbsp;instructed&nbsp;to&nbsp;lo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;modules.&nbsp;Shared&nbsp;modules&nbsp;are&nbsp;executable&nbsp;files&nbsp;that&nbsp;are&nbsp;load</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ad&nbsp;DLLs&nbsp;from&nbsp;arbitrary&nbsp;local&nbsp;paths&nbsp;and&nbsp;arbitrary&nbsp;Universal&nbsp;N</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ed&nbsp;into&nbsp;processes&nbsp;to&nbsp;provide&nbsp;access&nbsp;to&nbsp;reusable&nbsp;code,&nbsp;such&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">aming&nbsp;Convention&nbsp;(UNC)&nbsp;network&nbsp;paths.&nbsp;This&nbsp;functionality&nbsp;res</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;specific&nbsp;custom&nbsp;functions&nbsp;or&nbsp;invoking&nbsp;OS&nbsp;API&nbsp;functions&nbsp;(i.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ides&nbsp;in&nbsp;NTDLL.dll&nbsp;and&nbsp;is&nbsp;part&nbsp;of&nbsp;the&nbsp;Windows&nbsp;[Native&nbsp;API](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e.,&nbsp;[Native&nbsp;API](https://attack.mitre.org/techniques/T1106))</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/techniques/T1106)&nbsp;which&nbsp;is&nbsp;called&nbsp;fro</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;this&nbsp;functionality&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;execut</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">m&nbsp;functions&nbsp;like&nbsp;&lt;code&gt;CreateProcess&lt;/code&gt;,&nbsp;&lt;code&gt;LoadLibra</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;arbitrary&nbsp;payloads&nbsp;on&nbsp;a&nbsp;victim&nbsp;system.&nbsp;For&nbsp;example,&nbsp;advers</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&lt;/code&gt;,&nbsp;etc.&nbsp;of&nbsp;the&nbsp;Win32&nbsp;API.(Citation:&nbsp;Wikipedia&nbsp;Window</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">aries&nbsp;can&nbsp;modularize&nbsp;functionality&nbsp;of&nbsp;their&nbsp;malware&nbsp;into&nbsp;sha</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;Library&nbsp;Files)&nbsp;&nbsp;The&nbsp;module&nbsp;loader&nbsp;can&nbsp;load&nbsp;DLLs:&nbsp;&nbsp;*&nbsp;via&nbsp;sp</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">red&nbsp;objects&nbsp;that&nbsp;perform&nbsp;various&nbsp;functions&nbsp;such&nbsp;as&nbsp;managing&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ecification&nbsp;of&nbsp;the&nbsp;(fully-qualified&nbsp;or&nbsp;relative)&nbsp;DLL&nbsp;pathnam</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">C2&nbsp;network&nbsp;communications&nbsp;or&nbsp;execution&nbsp;of&nbsp;specific&nbsp;actions&nbsp;o</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;in&nbsp;the&nbsp;IMPORT&nbsp;directory;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;via&nbsp;EXPORT&nbsp;forwarded&nbsp;to&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">n&nbsp;objective.&nbsp;&nbsp;The&nbsp;Linux&nbsp;&amp;&nbsp;macOS&nbsp;module&nbsp;loader&nbsp;can&nbsp;load&nbsp;and&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">other&nbsp;DLL,&nbsp;specified&nbsp;with&nbsp;(fully-qualified&nbsp;or&nbsp;relative)&nbsp;path</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xecute&nbsp;shared&nbsp;objects&nbsp;from&nbsp;arbitrary&nbsp;local&nbsp;paths.&nbsp;This&nbsp;funct</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">name&nbsp;(but&nbsp;without&nbsp;extension);&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;via&nbsp;an&nbsp;NTFS&nbsp;junction&nbsp;or</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ionality&nbsp;resides&nbsp;in&nbsp;`dlfcn.h`&nbsp;in&nbsp;functions&nbsp;such&nbsp;as&nbsp;`dlopen`&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;symlink&nbsp;program.exe.local&nbsp;with&nbsp;the&nbsp;fully-qualified&nbsp;or&nbsp;relat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">and&nbsp;`dlsym`.&nbsp;Although&nbsp;macOS&nbsp;can&nbsp;execute&nbsp;`.so`&nbsp;files,&nbsp;common&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ive&nbsp;pathname&nbsp;of&nbsp;a&nbsp;directory&nbsp;containing&nbsp;the&nbsp;DLLs&nbsp;specified&nbsp;in</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">practice&nbsp;uses&nbsp;`.dylib`&nbsp;files.(Citation:&nbsp;Apple&nbsp;Dev&nbsp;Dynamic&nbsp;Li</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;the&nbsp;IMPORT&nbsp;directory&nbsp;or&nbsp;forwarded&nbsp;EXPORTs;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;via&nbsp;&lt;code</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">braries)(Citation:&nbsp;Linux&nbsp;Shared&nbsp;Libraries)(Citation:&nbsp;RotaJak</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&gt;&amp;#x3c;file&nbsp;name=\"filename.extension\"&nbsp;loadFrom=\"fully-qualif</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">iro&nbsp;2021&nbsp;netlab360&nbsp;analysis)(Citation:&nbsp;Unit42&nbsp;OceanLotus&nbsp;201</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ied&nbsp;or&nbsp;relative&nbsp;pathname\"&amp;#x3e;&lt;/code&gt;&nbsp;in&nbsp;an&nbsp;embedded&nbsp;or&nbsp;ext</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">7)&nbsp;&nbsp;The&nbsp;Windows&nbsp;module&nbsp;loader&nbsp;can&nbsp;be&nbsp;instructed&nbsp;to&nbsp;load&nbsp;DLLs</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ernal&nbsp;\"application&nbsp;manifest\".&nbsp;The&nbsp;file&nbsp;name&nbsp;refers&nbsp;to&nbsp;an&nbsp;ent</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;from&nbsp;arbitrary&nbsp;local&nbsp;paths&nbsp;and&nbsp;arbitrary&nbsp;Universal&nbsp;Naming&nbsp;C</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&nbsp;in&nbsp;the&nbsp;IMPORT&nbsp;directory&nbsp;or&nbsp;a&nbsp;forwarded&nbsp;EXPORT.&nbsp;&nbsp;Adversari</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">onvention&nbsp;(UNC)&nbsp;network&nbsp;paths.&nbsp;This&nbsp;functionality&nbsp;resides&nbsp;in</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;may&nbsp;use&nbsp;this&nbsp;functionality&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;execute&nbsp;arbitrary&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;`NTDLL.dll`&nbsp;and&nbsp;is&nbsp;part&nbsp;of&nbsp;the&nbsp;Windows&nbsp;[Native&nbsp;API](https:/</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">payloads&nbsp;on&nbsp;a&nbsp;victim&nbsp;system.&nbsp;For&nbsp;example,&nbsp;malware&nbsp;may&nbsp;execut</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">/attack.mitre.org/techniques/T1106)&nbsp;which&nbsp;is&nbsp;called&nbsp;from&nbsp;fun</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;share&nbsp;modules&nbsp;to&nbsp;load&nbsp;additional&nbsp;components&nbsp;or&nbsp;features.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ctions&nbsp;like&nbsp;`LoadLibrary`&nbsp;at&nbsp;run&nbsp;time.(Citation:&nbsp;Microsoft&nbsp;D</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">LL)</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to23__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to23__0\"><a href=\"#difflib_chg_to23__top\">t</a></td><td class=\"diff_header\" id=\"from23_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;via&nbsp;loading&nbsp;share</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to23__top\">t</a></td><td class=\"diff_header\" id=\"to23_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;execute&nbsp;malicious&nbsp;payloads&nbsp;via&nbsp;loading&nbsp;share</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">d&nbsp;modules.&nbsp;The&nbsp;Windows&nbsp;module&nbsp;loader&nbsp;can&nbsp;be&nbsp;instructed&nbsp;to&nbsp;lo</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;modules.&nbsp;Shared&nbsp;modules&nbsp;are&nbsp;executable&nbsp;files&nbsp;that&nbsp;are&nbsp;load</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ad&nbsp;DLLs&nbsp;from&nbsp;arbitrary&nbsp;local&nbsp;paths&nbsp;and&nbsp;arbitrary&nbsp;Universal&nbsp;N</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ed&nbsp;into&nbsp;processes&nbsp;to&nbsp;provide&nbsp;access&nbsp;to&nbsp;reusable&nbsp;code,&nbsp;such&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">aming&nbsp;Convention&nbsp;(UNC)&nbsp;network&nbsp;paths.&nbsp;This&nbsp;functionality&nbsp;res</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;specific&nbsp;custom&nbsp;functions&nbsp;or&nbsp;invoking&nbsp;OS&nbsp;API&nbsp;functions&nbsp;(i.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ides&nbsp;in&nbsp;NTDLL.dll&nbsp;and&nbsp;is&nbsp;part&nbsp;of&nbsp;the&nbsp;Windows&nbsp;[Native&nbsp;API](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e.,&nbsp;[Native&nbsp;API](https://attack.mitre.org/techniques/T1106))</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/techniques/T1106)&nbsp;which&nbsp;is&nbsp;called&nbsp;fro</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;this&nbsp;functionality&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;execut</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">m&nbsp;functions&nbsp;like&nbsp;&lt;code&gt;CreateProcess&lt;/code&gt;,&nbsp;&lt;code&gt;LoadLibra</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;arbitrary&nbsp;payloads&nbsp;on&nbsp;a&nbsp;victim&nbsp;system.&nbsp;For&nbsp;example,&nbsp;advers</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&lt;/code&gt;,&nbsp;etc.&nbsp;of&nbsp;the&nbsp;Win32&nbsp;API.(Citation:&nbsp;Wikipedia&nbsp;Window</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">aries&nbsp;can&nbsp;modularize&nbsp;functionality&nbsp;of&nbsp;their&nbsp;malware&nbsp;into&nbsp;sha</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">s&nbsp;Library&nbsp;Files)&nbsp;&nbsp;The&nbsp;module&nbsp;loader&nbsp;can&nbsp;load&nbsp;DLLs:&nbsp;&nbsp;*&nbsp;via&nbsp;sp</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">red&nbsp;objects&nbsp;that&nbsp;perform&nbsp;various&nbsp;functions&nbsp;such&nbsp;as&nbsp;managing&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ecification&nbsp;of&nbsp;the&nbsp;(fully-qualified&nbsp;or&nbsp;relative)&nbsp;DLL&nbsp;pathnam</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">C2&nbsp;network&nbsp;communications&nbsp;or&nbsp;execution&nbsp;of&nbsp;specific&nbsp;actions&nbsp;o</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;in&nbsp;the&nbsp;IMPORT&nbsp;directory;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;via&nbsp;EXPORT&nbsp;forwarded&nbsp;to&nbsp;an</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">n&nbsp;objective.&nbsp;&nbsp;The&nbsp;Linux&nbsp;&amp;&nbsp;macOS&nbsp;module&nbsp;loader&nbsp;can&nbsp;load&nbsp;and&nbsp;e</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">other&nbsp;DLL,&nbsp;specified&nbsp;with&nbsp;(fully-qualified&nbsp;or&nbsp;relative)&nbsp;path</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">xecute&nbsp;shared&nbsp;objects&nbsp;from&nbsp;arbitrary&nbsp;local&nbsp;paths.&nbsp;This&nbsp;funct</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">name&nbsp;(but&nbsp;without&nbsp;extension);&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;via&nbsp;an&nbsp;NTFS&nbsp;junction&nbsp;or</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ionality&nbsp;resides&nbsp;in&nbsp;`dlfcn.h`&nbsp;in&nbsp;functions&nbsp;such&nbsp;as&nbsp;`dlopen`&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;symlink&nbsp;program.exe.local&nbsp;with&nbsp;the&nbsp;fully-qualified&nbsp;or&nbsp;relat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">and&nbsp;`dlsym`.&nbsp;Although&nbsp;macOS&nbsp;can&nbsp;execute&nbsp;`.so`&nbsp;files,&nbsp;common&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ive&nbsp;pathname&nbsp;of&nbsp;a&nbsp;directory&nbsp;containing&nbsp;the&nbsp;DLLs&nbsp;specified&nbsp;in</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">practice&nbsp;uses&nbsp;`.dylib`&nbsp;files.(Citation:&nbsp;Apple&nbsp;Dev&nbsp;Dynamic&nbsp;Li</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;the&nbsp;IMPORT&nbsp;directory&nbsp;or&nbsp;forwarded&nbsp;EXPORTs;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*&nbsp;via&nbsp;&lt;code</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">braries)(Citation:&nbsp;Linux&nbsp;Shared&nbsp;Libraries)(Citation:&nbsp;RotaJak</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&gt;&amp;#x3c;file&nbsp;name=\"filename.extension\"&nbsp;loadFrom=\"fully-qualif</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">iro&nbsp;2021&nbsp;netlab360&nbsp;analysis)(Citation:&nbsp;Unit42&nbsp;OceanLotus&nbsp;201</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ied&nbsp;or&nbsp;relative&nbsp;pathname\"&amp;#x3e;&lt;/code&gt;&nbsp;in&nbsp;an&nbsp;embedded&nbsp;or&nbsp;ext</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">7)&nbsp;&nbsp;The&nbsp;Windows&nbsp;module&nbsp;loader&nbsp;can&nbsp;be&nbsp;instructed&nbsp;to&nbsp;load&nbsp;DLLs</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ernal&nbsp;\"application&nbsp;manifest\".&nbsp;The&nbsp;file&nbsp;name&nbsp;refers&nbsp;to&nbsp;an&nbsp;ent</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;from&nbsp;arbitrary&nbsp;local&nbsp;paths&nbsp;and&nbsp;arbitrary&nbsp;Universal&nbsp;Naming&nbsp;C</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ry&nbsp;in&nbsp;the&nbsp;IMPORT&nbsp;directory&nbsp;or&nbsp;a&nbsp;forwarded&nbsp;EXPORT.&nbsp;&nbsp;Adversari</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">onvention&nbsp;(UNC)&nbsp;network&nbsp;paths.&nbsp;This&nbsp;functionality&nbsp;resides&nbsp;in</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;may&nbsp;use&nbsp;this&nbsp;functionality&nbsp;as&nbsp;a&nbsp;way&nbsp;to&nbsp;execute&nbsp;arbitrary&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;`NTDLL.dll`&nbsp;and&nbsp;is&nbsp;part&nbsp;of&nbsp;the&nbsp;Windows&nbsp;[Native&nbsp;API](https:/</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">payloads&nbsp;on&nbsp;a&nbsp;victim&nbsp;system.&nbsp;For&nbsp;example,&nbsp;malware&nbsp;may&nbsp;execut</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">/attack.mitre.org/techniques/T1106)&nbsp;which&nbsp;is&nbsp;called&nbsp;from&nbsp;fun</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;share&nbsp;modules&nbsp;to&nbsp;load&nbsp;additional&nbsp;components&nbsp;or&nbsp;features.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ctions&nbsp;like&nbsp;`LoadLibrary`&nbsp;at&nbsp;run&nbsp;time.(Citation:&nbsp;Microsoft&nbsp;D</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">LL)</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1038: Execution Prevention"
@@ -11591,7 +11591,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\", \"Administrator\", \"SYSTEM\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-27 20:31:36.724000+00:00\", \"old_value\": \"2023-03-30 21:01:36.669000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).  \\n\\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\\n\\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.\", \"old_value\": \"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\\n\\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\\n\\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\\n+Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).  \\n \\n-Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\\n+Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\\n \\n The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation\", \"description\": \"ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.\", \"url\": \"https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem\"}, \"root['x_mitre_contributors'][1]\": \"Joe Gumke, U.S. Bank\", \"root['x_mitre_platforms'][3]\": \"Network\"}}",
                     "previous_version": "2.1",
                     "version_change": "2.1 \u2192 2.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to19__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to19__0\"><a href=\"#difflib_chg_to19__top\">t</a></td><td class=\"diff_header\" id=\"from19_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;gain&nbsp;access&nbsp;to&nbsp;and&nbsp;use&nbsp;third-party&nbsp;software&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to19__top\">t</a></td><td class=\"diff_header\" id=\"to19_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;gain&nbsp;access&nbsp;to&nbsp;and&nbsp;use&nbsp;third-party&nbsp;software&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">suites&nbsp;installed&nbsp;within&nbsp;an&nbsp;enterprise&nbsp;network,&nbsp;such&nbsp;as&nbsp;admin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">suites&nbsp;installed&nbsp;within&nbsp;an&nbsp;enterprise&nbsp;network,&nbsp;such&nbsp;as&nbsp;admin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">istration,&nbsp;monitoring,&nbsp;and&nbsp;deployment&nbsp;systems,&nbsp;to&nbsp;move&nbsp;later</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">istration,&nbsp;monitoring,&nbsp;and&nbsp;deployment&nbsp;systems,&nbsp;to&nbsp;move&nbsp;later</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;through&nbsp;the&nbsp;network.&nbsp;Third-party&nbsp;applications&nbsp;and&nbsp;softw</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;through&nbsp;the&nbsp;network.&nbsp;Third-party&nbsp;applications&nbsp;and&nbsp;softw</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">are&nbsp;deployment&nbsp;systems&nbsp;may&nbsp;be&nbsp;in&nbsp;use&nbsp;in&nbsp;the&nbsp;network&nbsp;environm</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">are&nbsp;deployment&nbsp;systems&nbsp;may&nbsp;be&nbsp;in&nbsp;use&nbsp;in&nbsp;the&nbsp;network&nbsp;environm</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ent&nbsp;for&nbsp;administration&nbsp;purposes&nbsp;(e.g.,&nbsp;SCCM,&nbsp;HBSS,&nbsp;Altiris,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ent&nbsp;for&nbsp;administration&nbsp;purposes&nbsp;(e.g.,&nbsp;SCCM,&nbsp;HBSS,&nbsp;Altiris,&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etc.).&nbsp;&nbsp;Access&nbsp;to&nbsp;a&nbsp;third-party&nbsp;network-wide&nbsp;or&nbsp;enterprise-w</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etc.).&nbsp;&nbsp;<span class=\"diff_add\">&nbsp;&nbsp;</span>Access&nbsp;to&nbsp;a&nbsp;third-party&nbsp;network-wide&nbsp;or&nbsp;enterprise</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ide&nbsp;software&nbsp;system&nbsp;may&nbsp;enable&nbsp;an&nbsp;adversary&nbsp;to&nbsp;have&nbsp;remote&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">-wide&nbsp;software&nbsp;system&nbsp;may&nbsp;enable&nbsp;an&nbsp;adversary&nbsp;to&nbsp;have&nbsp;remote</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ode&nbsp;execution&nbsp;on&nbsp;all&nbsp;systems&nbsp;that&nbsp;are&nbsp;connected&nbsp;to&nbsp;such&nbsp;a&nbsp;sy</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;code&nbsp;execution&nbsp;on&nbsp;all&nbsp;systems&nbsp;that&nbsp;are&nbsp;connected&nbsp;to&nbsp;such&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stem.&nbsp;The&nbsp;access&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;laterally&nbsp;move&nbsp;to&nbsp;other&nbsp;syst</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">system.&nbsp;The&nbsp;access&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;laterally&nbsp;move&nbsp;to&nbsp;other&nbsp;sy</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ems,&nbsp;gather&nbsp;information,&nbsp;or&nbsp;cause&nbsp;a&nbsp;specific&nbsp;effect,&nbsp;such&nbsp;as</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stems,&nbsp;gather&nbsp;information,&nbsp;or&nbsp;cause&nbsp;a&nbsp;specific&nbsp;effect,&nbsp;such&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;wiping&nbsp;the&nbsp;hard&nbsp;drives&nbsp;on&nbsp;all&nbsp;endpoints.&nbsp;&nbsp;The&nbsp;permissions&nbsp;r</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">as&nbsp;wiping&nbsp;the&nbsp;hard&nbsp;drives&nbsp;on&nbsp;all&nbsp;endpoints.&nbsp;<span class=\"diff_add\">Network&nbsp;infrastr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">equired&nbsp;for&nbsp;this&nbsp;action&nbsp;vary&nbsp;by&nbsp;system&nbsp;configuration;&nbsp;local&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ucture&nbsp;may&nbsp;also&nbsp;have&nbsp;administration&nbsp;tools&nbsp;that&nbsp;can&nbsp;be&nbsp;simila</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">credentials&nbsp;may&nbsp;be&nbsp;sufficient&nbsp;with&nbsp;direct&nbsp;access&nbsp;to&nbsp;the&nbsp;thir</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rly&nbsp;abused&nbsp;by&nbsp;adversaries.&nbsp;(Citation:&nbsp;Fortinet&nbsp;Zero-Day&nbsp;and&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d-party&nbsp;system,&nbsp;or&nbsp;specific&nbsp;domain&nbsp;credentials&nbsp;may&nbsp;be&nbsp;requir</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Custom&nbsp;Malware&nbsp;Used&nbsp;by&nbsp;Suspected&nbsp;Chinese&nbsp;Actor&nbsp;in&nbsp;Espionage&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed.&nbsp;However,&nbsp;the&nbsp;system&nbsp;may&nbsp;require&nbsp;an&nbsp;administrative&nbsp;accoun</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Operation)&nbsp;</span>&nbsp;The&nbsp;permissions&nbsp;required&nbsp;for&nbsp;this&nbsp;action&nbsp;vary&nbsp;by</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;to&nbsp;log&nbsp;in&nbsp;or&nbsp;to&nbsp;perform&nbsp;it's&nbsp;intended&nbsp;purpose.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;configuration;&nbsp;local&nbsp;credentials&nbsp;may&nbsp;be&nbsp;sufficient&nbsp;w</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ith&nbsp;direct&nbsp;access&nbsp;to&nbsp;the&nbsp;third-party&nbsp;system,&nbsp;or&nbsp;specific&nbsp;dom</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ain&nbsp;credentials&nbsp;may&nbsp;be&nbsp;required.&nbsp;However,&nbsp;the&nbsp;system&nbsp;may&nbsp;req</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uire&nbsp;an&nbsp;administrative&nbsp;account&nbsp;to&nbsp;log&nbsp;in&nbsp;or&nbsp;to&nbsp;perform&nbsp;it's&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">intended&nbsp;purpose.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to18__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to18__0\"><a href=\"#difflib_chg_to18__top\">t</a></td><td class=\"diff_header\" id=\"from18_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;gain&nbsp;access&nbsp;to&nbsp;and&nbsp;use&nbsp;third-party&nbsp;software&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to18__top\">t</a></td><td class=\"diff_header\" id=\"to18_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;gain&nbsp;access&nbsp;to&nbsp;and&nbsp;use&nbsp;third-party&nbsp;software&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">suites&nbsp;installed&nbsp;within&nbsp;an&nbsp;enterprise&nbsp;network,&nbsp;such&nbsp;as&nbsp;admin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">suites&nbsp;installed&nbsp;within&nbsp;an&nbsp;enterprise&nbsp;network,&nbsp;such&nbsp;as&nbsp;admin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">istration,&nbsp;monitoring,&nbsp;and&nbsp;deployment&nbsp;systems,&nbsp;to&nbsp;move&nbsp;later</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">istration,&nbsp;monitoring,&nbsp;and&nbsp;deployment&nbsp;systems,&nbsp;to&nbsp;move&nbsp;later</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;through&nbsp;the&nbsp;network.&nbsp;Third-party&nbsp;applications&nbsp;and&nbsp;softw</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ally&nbsp;through&nbsp;the&nbsp;network.&nbsp;Third-party&nbsp;applications&nbsp;and&nbsp;softw</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">are&nbsp;deployment&nbsp;systems&nbsp;may&nbsp;be&nbsp;in&nbsp;use&nbsp;in&nbsp;the&nbsp;network&nbsp;environm</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">are&nbsp;deployment&nbsp;systems&nbsp;may&nbsp;be&nbsp;in&nbsp;use&nbsp;in&nbsp;the&nbsp;network&nbsp;environm</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ent&nbsp;for&nbsp;administration&nbsp;purposes&nbsp;(e.g.,&nbsp;SCCM,&nbsp;HBSS,&nbsp;Altiris,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ent&nbsp;for&nbsp;administration&nbsp;purposes&nbsp;(e.g.,&nbsp;SCCM,&nbsp;HBSS,&nbsp;Altiris,&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etc.).&nbsp;&nbsp;Access&nbsp;to&nbsp;a&nbsp;third-party&nbsp;network-wide&nbsp;or&nbsp;enterprise-w</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etc.).&nbsp;&nbsp;<span class=\"diff_add\">&nbsp;&nbsp;</span>Access&nbsp;to&nbsp;a&nbsp;third-party&nbsp;network-wide&nbsp;or&nbsp;enterprise</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ide&nbsp;software&nbsp;system&nbsp;may&nbsp;enable&nbsp;an&nbsp;adversary&nbsp;to&nbsp;have&nbsp;remote&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">-wide&nbsp;software&nbsp;system&nbsp;may&nbsp;enable&nbsp;an&nbsp;adversary&nbsp;to&nbsp;have&nbsp;remote</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ode&nbsp;execution&nbsp;on&nbsp;all&nbsp;systems&nbsp;that&nbsp;are&nbsp;connected&nbsp;to&nbsp;such&nbsp;a&nbsp;sy</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;code&nbsp;execution&nbsp;on&nbsp;all&nbsp;systems&nbsp;that&nbsp;are&nbsp;connected&nbsp;to&nbsp;such&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stem.&nbsp;The&nbsp;access&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;laterally&nbsp;move&nbsp;to&nbsp;other&nbsp;syst</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">system.&nbsp;The&nbsp;access&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;laterally&nbsp;move&nbsp;to&nbsp;other&nbsp;sy</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ems,&nbsp;gather&nbsp;information,&nbsp;or&nbsp;cause&nbsp;a&nbsp;specific&nbsp;effect,&nbsp;such&nbsp;as</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">stems,&nbsp;gather&nbsp;information,&nbsp;or&nbsp;cause&nbsp;a&nbsp;specific&nbsp;effect,&nbsp;such&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;wiping&nbsp;the&nbsp;hard&nbsp;drives&nbsp;on&nbsp;all&nbsp;endpoints.&nbsp;&nbsp;The&nbsp;permissions&nbsp;r</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">as&nbsp;wiping&nbsp;the&nbsp;hard&nbsp;drives&nbsp;on&nbsp;all&nbsp;endpoints.&nbsp;<span class=\"diff_add\">Network&nbsp;infrastr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">equired&nbsp;for&nbsp;this&nbsp;action&nbsp;vary&nbsp;by&nbsp;system&nbsp;configuration;&nbsp;local&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ucture&nbsp;may&nbsp;also&nbsp;have&nbsp;administration&nbsp;tools&nbsp;that&nbsp;can&nbsp;be&nbsp;simila</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">credentials&nbsp;may&nbsp;be&nbsp;sufficient&nbsp;with&nbsp;direct&nbsp;access&nbsp;to&nbsp;the&nbsp;thir</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rly&nbsp;abused&nbsp;by&nbsp;adversaries.&nbsp;(Citation:&nbsp;Fortinet&nbsp;Zero-Day&nbsp;and&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d-party&nbsp;system,&nbsp;or&nbsp;specific&nbsp;domain&nbsp;credentials&nbsp;may&nbsp;be&nbsp;requir</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Custom&nbsp;Malware&nbsp;Used&nbsp;by&nbsp;Suspected&nbsp;Chinese&nbsp;Actor&nbsp;in&nbsp;Espionage&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed.&nbsp;However,&nbsp;the&nbsp;system&nbsp;may&nbsp;require&nbsp;an&nbsp;administrative&nbsp;accoun</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Operation)&nbsp;</span>&nbsp;The&nbsp;permissions&nbsp;required&nbsp;for&nbsp;this&nbsp;action&nbsp;vary&nbsp;by</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;to&nbsp;log&nbsp;in&nbsp;or&nbsp;to&nbsp;perform&nbsp;it's&nbsp;intended&nbsp;purpose.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;configuration;&nbsp;local&nbsp;credentials&nbsp;may&nbsp;be&nbsp;sufficient&nbsp;w</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ith&nbsp;direct&nbsp;access&nbsp;to&nbsp;the&nbsp;third-party&nbsp;system,&nbsp;or&nbsp;specific&nbsp;dom</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ain&nbsp;credentials&nbsp;may&nbsp;be&nbsp;required.&nbsp;However,&nbsp;the&nbsp;system&nbsp;may&nbsp;req</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uire&nbsp;an&nbsp;administrative&nbsp;account&nbsp;to&nbsp;log&nbsp;in&nbsp;or&nbsp;to&nbsp;perform&nbsp;it's&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">intended&nbsp;purpose.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1015: Active Directory Configuration",
@@ -12586,7 +12586,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 17:25:38.546000+00:00\", \"old_value\": \"2023-03-21 13:17:14.441000+00:00\"}, \"root['description']\": {\"new_value\": \"Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n\\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\\n\\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \\n\\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. \\n\", \"old_value\": \"Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n\\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\\n\\nOnce a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n+Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\\n \\n-Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\\n+Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\\n \\n-Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.\\n+An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \\n+\\n+Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.6\", \"old_value\": \"1.5\"}}}",
                     "previous_version": "1.5",
                     "version_change": "1.5 \u2192 1.6",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to5__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to5__0\"><a href=\"#difflib_chg_to5__top\">t</a></td><td class=\"diff_header\" id=\"from5_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;obtain&nbsp;and&nbsp;abuse&nbsp;credentials&nbsp;of&nbsp;a&nbsp;cloud&nbsp;acco</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to5__top\">t</a></td><td class=\"diff_header\" id=\"to5_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Valid&nbsp;accounts&nbsp;in&nbsp;cloud&nbsp;environments&nbsp;may&nbsp;allow&nbsp;adversaries&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">unt&nbsp;as&nbsp;a&nbsp;means&nbsp;of&nbsp;gaining&nbsp;Initial&nbsp;Access,&nbsp;Persistence,&nbsp;Privi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;perform&nbsp;actions&nbsp;to&nbsp;achieve&nbsp;Initial&nbsp;Access,&nbsp;Persistence,&nbsp;Pr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lege&nbsp;Escalation,&nbsp;or&nbsp;Defense&nbsp;Evasion.&nbsp;Cloud&nbsp;accounts&nbsp;are&nbsp;thos</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ivilege&nbsp;Escalation,&nbsp;or&nbsp;Defense&nbsp;Evasion.&nbsp;Cloud&nbsp;accounts&nbsp;are&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;created&nbsp;and&nbsp;configured&nbsp;by&nbsp;an&nbsp;organization&nbsp;for&nbsp;use&nbsp;by&nbsp;users</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hose&nbsp;created&nbsp;and&nbsp;configured&nbsp;by&nbsp;an&nbsp;organization&nbsp;for&nbsp;use&nbsp;by&nbsp;us</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;for&nbsp;administration&nbsp;of&nbsp;resourc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ers,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;for&nbsp;administration&nbsp;of&nbsp;reso</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;within&nbsp;a&nbsp;cloud&nbsp;service&nbsp;provider&nbsp;or&nbsp;SaaS&nbsp;application.&nbsp;In&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urces&nbsp;within&nbsp;a&nbsp;cloud&nbsp;service&nbsp;provider&nbsp;or&nbsp;SaaS&nbsp;application.&nbsp;C</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ome&nbsp;cases,&nbsp;cloud&nbsp;accounts&nbsp;may&nbsp;be&nbsp;federated&nbsp;with&nbsp;traditional&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">loud&nbsp;Accounts&nbsp;can&nbsp;exist&nbsp;solely&nbsp;in&nbsp;the&nbsp;cloud&nbsp;or&nbsp;be&nbsp;hybrid&nbsp;joi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">identity&nbsp;management&nbsp;systems,&nbsp;such&nbsp;as&nbsp;Windows&nbsp;Active&nbsp;Director</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ned&nbsp;between&nbsp;on-premises&nbsp;systems&nbsp;and&nbsp;the&nbsp;cloud&nbsp;through&nbsp;federa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y.(Citation:&nbsp;AWS&nbsp;Identity&nbsp;Federation)(Citation:&nbsp;Google&nbsp;Feder</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tion&nbsp;with&nbsp;other&nbsp;identity&nbsp;sources&nbsp;such&nbsp;as&nbsp;Windows&nbsp;Active&nbsp;Dire</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ating&nbsp;GC)(Citation:&nbsp;Microsoft&nbsp;Deploying&nbsp;AD&nbsp;Federation)&nbsp;&nbsp;Comp</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ctory.&nbsp;(Citation:&nbsp;AWS&nbsp;Identity&nbsp;Federation)(Citation:&nbsp;Google&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">romised&nbsp;credentials&nbsp;for&nbsp;cloud&nbsp;accounts&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;harves</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Federating&nbsp;GC)(Citation:&nbsp;Microsoft&nbsp;Deploying&nbsp;AD&nbsp;Federation)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">t&nbsp;sensitive&nbsp;data&nbsp;from&nbsp;online&nbsp;storage&nbsp;accounts&nbsp;and&nbsp;databases.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;Service&nbsp;or&nbsp;user&nbsp;accounts&nbsp;may&nbsp;be&nbsp;targeted&nbsp;by&nbsp;adversaries&nbsp;thr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Access&nbsp;to&nbsp;cloud&nbsp;accounts&nbsp;can&nbsp;also&nbsp;be&nbsp;abused&nbsp;to&nbsp;gain&nbsp;Initial</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ough&nbsp;[Brute&nbsp;Force](https://attack.mitre.org/techniques/T1110</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Access&nbsp;to&nbsp;a&nbsp;network&nbsp;by&nbsp;abusing&nbsp;a&nbsp;[Trusted&nbsp;Relationship](htt</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">),&nbsp;[Phishing](https://attack.mitre.org/techniques/T1566),&nbsp;or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ps://attack.mitre.org/techniques/T1199).&nbsp;Similar&nbsp;to&nbsp;[Domain&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;various&nbsp;other&nbsp;means&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;the&nbsp;environment.&nbsp;Fede</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Accounts](https://attack.mitre.org/techniques/T1078/002),&nbsp;co</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rated&nbsp;accounts&nbsp;may&nbsp;be&nbsp;a&nbsp;pathway&nbsp;for&nbsp;the&nbsp;adversary&nbsp;to&nbsp;affect&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">mpromise&nbsp;of&nbsp;federated&nbsp;cloud&nbsp;accounts&nbsp;may&nbsp;allow&nbsp;adversaries&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">both&nbsp;on-premises&nbsp;systems&nbsp;and&nbsp;cloud&nbsp;environments.&nbsp;&nbsp;An&nbsp;adversa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;more&nbsp;easily&nbsp;move&nbsp;laterally&nbsp;within&nbsp;an&nbsp;environment.&nbsp;&nbsp;Once&nbsp;a&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ry&nbsp;may&nbsp;create&nbsp;long&nbsp;lasting&nbsp;[Additional&nbsp;Cloud&nbsp;Credentials](ht</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cloud&nbsp;account&nbsp;is&nbsp;compromised,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;perform&nbsp;[Acco</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tps://attack.mitre.org/techniques/T1098/001)&nbsp;on&nbsp;a&nbsp;compromise</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">unt&nbsp;Manipulation](https://attack.mitre.org/techniques/T1098)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;cloud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;in&nbsp;the&nbsp;environment.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;-&nbsp;for&nbsp;example,&nbsp;by&nbsp;adding&nbsp;[Additional&nbsp;Cloud&nbsp;Roles](https://a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Such&nbsp;credentials&nbsp;may&nbsp;also&nbsp;be&nbsp;used&nbsp;to&nbsp;bypass&nbsp;security&nbsp;control</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ttack.mitre.org/techniques/T1098/003)&nbsp;-&nbsp;to&nbsp;maintain&nbsp;persiste</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;such&nbsp;as&nbsp;multi-factor&nbsp;authentication.&nbsp;&nbsp;&nbsp;Cloud&nbsp;accounts&nbsp;may&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nce&nbsp;and&nbsp;potentially&nbsp;escalate&nbsp;their&nbsp;privileges.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">also&nbsp;be&nbsp;able&nbsp;to&nbsp;assume&nbsp;[Temporary&nbsp;Elevated&nbsp;Cloud&nbsp;Access](htt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps://attack.mitre.org/techniques/T1548/005)&nbsp;or&nbsp;other&nbsp;privile</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ges&nbsp;through&nbsp;various&nbsp;means&nbsp;within&nbsp;the&nbsp;environment.&nbsp;Misconfigu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rations&nbsp;in&nbsp;role&nbsp;assignments&nbsp;or&nbsp;role&nbsp;assumption&nbsp;policies&nbsp;may&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">allow&nbsp;an&nbsp;adversary&nbsp;to&nbsp;use&nbsp;these&nbsp;mechanisms&nbsp;to&nbsp;leverage&nbsp;permi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ssions&nbsp;outside&nbsp;the&nbsp;intended&nbsp;scope&nbsp;of&nbsp;the&nbsp;account.&nbsp;Such&nbsp;over&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">privileged&nbsp;accounts&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;harvest&nbsp;sensitive&nbsp;data&nbsp;fr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">om&nbsp;online&nbsp;storage&nbsp;accounts&nbsp;and&nbsp;databases&nbsp;through&nbsp;[Cloud&nbsp;API]</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(https://attack.mitre.org/techniques/T1059/009)&nbsp;or&nbsp;other&nbsp;met</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hods.&nbsp;&nbsp;</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to8__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to8__0\"><a href=\"#difflib_chg_to8__top\">t</a></td><td class=\"diff_header\" id=\"from8_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;obtain&nbsp;and&nbsp;abuse&nbsp;credentials&nbsp;of&nbsp;a&nbsp;cloud&nbsp;acco</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to8__top\">t</a></td><td class=\"diff_header\" id=\"to8_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Valid&nbsp;accounts&nbsp;in&nbsp;cloud&nbsp;environments&nbsp;may&nbsp;allow&nbsp;adversaries&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">unt&nbsp;as&nbsp;a&nbsp;means&nbsp;of&nbsp;gaining&nbsp;Initial&nbsp;Access,&nbsp;Persistence,&nbsp;Privi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">o&nbsp;perform&nbsp;actions&nbsp;to&nbsp;achieve&nbsp;Initial&nbsp;Access,&nbsp;Persistence,&nbsp;Pr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lege&nbsp;Escalation,&nbsp;or&nbsp;Defense&nbsp;Evasion.&nbsp;Cloud&nbsp;accounts&nbsp;are&nbsp;thos</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ivilege&nbsp;Escalation,&nbsp;or&nbsp;Defense&nbsp;Evasion.&nbsp;Cloud&nbsp;accounts&nbsp;are&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">e&nbsp;created&nbsp;and&nbsp;configured&nbsp;by&nbsp;an&nbsp;organization&nbsp;for&nbsp;use&nbsp;by&nbsp;users</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hose&nbsp;created&nbsp;and&nbsp;configured&nbsp;by&nbsp;an&nbsp;organization&nbsp;for&nbsp;use&nbsp;by&nbsp;us</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;for&nbsp;administration&nbsp;of&nbsp;resourc</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ers,&nbsp;remote&nbsp;support,&nbsp;services,&nbsp;or&nbsp;for&nbsp;administration&nbsp;of&nbsp;reso</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">es&nbsp;within&nbsp;a&nbsp;cloud&nbsp;service&nbsp;provider&nbsp;or&nbsp;SaaS&nbsp;application.&nbsp;In&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">urces&nbsp;within&nbsp;a&nbsp;cloud&nbsp;service&nbsp;provider&nbsp;or&nbsp;SaaS&nbsp;application.&nbsp;C</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ome&nbsp;cases,&nbsp;cloud&nbsp;accounts&nbsp;may&nbsp;be&nbsp;federated&nbsp;with&nbsp;traditional&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">loud&nbsp;Accounts&nbsp;can&nbsp;exist&nbsp;solely&nbsp;in&nbsp;the&nbsp;cloud&nbsp;or&nbsp;be&nbsp;hybrid&nbsp;joi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">identity&nbsp;management&nbsp;systems,&nbsp;such&nbsp;as&nbsp;Windows&nbsp;Active&nbsp;Director</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ned&nbsp;between&nbsp;on-premises&nbsp;systems&nbsp;and&nbsp;the&nbsp;cloud&nbsp;through&nbsp;federa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">y.(Citation:&nbsp;AWS&nbsp;Identity&nbsp;Federation)(Citation:&nbsp;Google&nbsp;Feder</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tion&nbsp;with&nbsp;other&nbsp;identity&nbsp;sources&nbsp;such&nbsp;as&nbsp;Windows&nbsp;Active&nbsp;Dire</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ating&nbsp;GC)(Citation:&nbsp;Microsoft&nbsp;Deploying&nbsp;AD&nbsp;Federation)&nbsp;&nbsp;Comp</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ctory.&nbsp;(Citation:&nbsp;AWS&nbsp;Identity&nbsp;Federation)(Citation:&nbsp;Google&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">romised&nbsp;credentials&nbsp;for&nbsp;cloud&nbsp;accounts&nbsp;can&nbsp;be&nbsp;used&nbsp;to&nbsp;harves</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Federating&nbsp;GC)(Citation:&nbsp;Microsoft&nbsp;Deploying&nbsp;AD&nbsp;Federation)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">t&nbsp;sensitive&nbsp;data&nbsp;from&nbsp;online&nbsp;storage&nbsp;accounts&nbsp;and&nbsp;databases.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;Service&nbsp;or&nbsp;user&nbsp;accounts&nbsp;may&nbsp;be&nbsp;targeted&nbsp;by&nbsp;adversaries&nbsp;thr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Access&nbsp;to&nbsp;cloud&nbsp;accounts&nbsp;can&nbsp;also&nbsp;be&nbsp;abused&nbsp;to&nbsp;gain&nbsp;Initial</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ough&nbsp;[Brute&nbsp;Force](https://attack.mitre.org/techniques/T1110</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;Access&nbsp;to&nbsp;a&nbsp;network&nbsp;by&nbsp;abusing&nbsp;a&nbsp;[Trusted&nbsp;Relationship](htt</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">),&nbsp;[Phishing](https://attack.mitre.org/techniques/T1566),&nbsp;or</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ps://attack.mitre.org/techniques/T1199).&nbsp;Similar&nbsp;to&nbsp;[Domain&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;various&nbsp;other&nbsp;means&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;the&nbsp;environment.&nbsp;Fede</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Accounts](https://attack.mitre.org/techniques/T1078/002),&nbsp;co</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rated&nbsp;accounts&nbsp;may&nbsp;be&nbsp;a&nbsp;pathway&nbsp;for&nbsp;the&nbsp;adversary&nbsp;to&nbsp;affect&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">mpromise&nbsp;of&nbsp;federated&nbsp;cloud&nbsp;accounts&nbsp;may&nbsp;allow&nbsp;adversaries&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">both&nbsp;on-premises&nbsp;systems&nbsp;and&nbsp;cloud&nbsp;environments.&nbsp;&nbsp;An&nbsp;adversa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">o&nbsp;more&nbsp;easily&nbsp;move&nbsp;laterally&nbsp;within&nbsp;an&nbsp;environment.&nbsp;&nbsp;Once&nbsp;a&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ry&nbsp;may&nbsp;create&nbsp;long&nbsp;lasting&nbsp;[Additional&nbsp;Cloud&nbsp;Credentials](ht</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">cloud&nbsp;account&nbsp;is&nbsp;compromised,&nbsp;an&nbsp;adversary&nbsp;may&nbsp;perform&nbsp;[Acco</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tps://attack.mitre.org/techniques/T1098/001)&nbsp;on&nbsp;a&nbsp;compromise</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">unt&nbsp;Manipulation](https://attack.mitre.org/techniques/T1098)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">d&nbsp;cloud&nbsp;account&nbsp;to&nbsp;maintain&nbsp;persistence&nbsp;in&nbsp;the&nbsp;environment.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;-&nbsp;for&nbsp;example,&nbsp;by&nbsp;adding&nbsp;[Additional&nbsp;Cloud&nbsp;Roles](https://a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Such&nbsp;credentials&nbsp;may&nbsp;also&nbsp;be&nbsp;used&nbsp;to&nbsp;bypass&nbsp;security&nbsp;control</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ttack.mitre.org/techniques/T1098/003)&nbsp;-&nbsp;to&nbsp;maintain&nbsp;persiste</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;such&nbsp;as&nbsp;multi-factor&nbsp;authentication.&nbsp;&nbsp;&nbsp;Cloud&nbsp;accounts&nbsp;may&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nce&nbsp;and&nbsp;potentially&nbsp;escalate&nbsp;their&nbsp;privileges.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">also&nbsp;be&nbsp;able&nbsp;to&nbsp;assume&nbsp;[Temporary&nbsp;Elevated&nbsp;Cloud&nbsp;Access](htt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps://attack.mitre.org/techniques/T1548/005)&nbsp;or&nbsp;other&nbsp;privile</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ges&nbsp;through&nbsp;various&nbsp;means&nbsp;within&nbsp;the&nbsp;environment.&nbsp;Misconfigu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rations&nbsp;in&nbsp;role&nbsp;assignments&nbsp;or&nbsp;role&nbsp;assumption&nbsp;policies&nbsp;may&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">allow&nbsp;an&nbsp;adversary&nbsp;to&nbsp;use&nbsp;these&nbsp;mechanisms&nbsp;to&nbsp;leverage&nbsp;permi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ssions&nbsp;outside&nbsp;the&nbsp;intended&nbsp;scope&nbsp;of&nbsp;the&nbsp;account.&nbsp;Such&nbsp;over&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">privileged&nbsp;accounts&nbsp;may&nbsp;be&nbsp;used&nbsp;to&nbsp;harvest&nbsp;sensitive&nbsp;data&nbsp;fr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">om&nbsp;online&nbsp;storage&nbsp;accounts&nbsp;and&nbsp;databases&nbsp;through&nbsp;[Cloud&nbsp;API]</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">(https://attack.mitre.org/techniques/T1059/009)&nbsp;or&nbsp;other&nbsp;met</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">hods.&nbsp;&nbsp;</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1015: Active Directory Configuration",
@@ -12960,7 +12960,7 @@
                     "x_mitre_version": "1.3",
                     "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\\n\\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\\n\\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\\n\\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\", \"old_value\": \"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\\n\\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\\n\\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\\n\\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\", \"diff\": \"--- \\n+++ \\n@@ -4,4 +4,4 @@\\n \\n For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\\n \\n-Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\\n+Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).\"}}}",
                     "previous_version": "1.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to12__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to12__0\"><a href=\"#difflib_chg_to12__top\">t</a></td><td class=\"diff_header\" id=\"from12_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;attempt&nbsp;to&nbsp;enumerate&nbsp;the&nbsp;cloud&nbsp;services&nbsp;run</td><td class=\"diff_next\"><a href=\"#difflib_chg_to12__top\">t</a></td><td class=\"diff_header\" id=\"to12_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;attempt&nbsp;to&nbsp;enumerate&nbsp;the&nbsp;cloud&nbsp;services&nbsp;run</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ning&nbsp;on&nbsp;a&nbsp;system&nbsp;after&nbsp;gaining&nbsp;access.&nbsp;These&nbsp;methods&nbsp;can&nbsp;dif</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ning&nbsp;on&nbsp;a&nbsp;system&nbsp;after&nbsp;gaining&nbsp;access.&nbsp;These&nbsp;methods&nbsp;can&nbsp;dif</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fer&nbsp;from&nbsp;platform-as-a-service&nbsp;(PaaS),&nbsp;to&nbsp;infrastructure-as-</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fer&nbsp;from&nbsp;platform-as-a-service&nbsp;(PaaS),&nbsp;to&nbsp;infrastructure-as-</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">a-service&nbsp;(IaaS),&nbsp;or&nbsp;software-as-a-service&nbsp;(SaaS).&nbsp;Many&nbsp;serv</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">a-service&nbsp;(IaaS),&nbsp;or&nbsp;software-as-a-service&nbsp;(SaaS).&nbsp;Many&nbsp;serv</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ices&nbsp;exist&nbsp;throughout&nbsp;the&nbsp;various&nbsp;cloud&nbsp;providers&nbsp;and&nbsp;can&nbsp;in</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ices&nbsp;exist&nbsp;throughout&nbsp;the&nbsp;various&nbsp;cloud&nbsp;providers&nbsp;and&nbsp;can&nbsp;in</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">clude&nbsp;Continuous&nbsp;Integration&nbsp;and&nbsp;Continuous&nbsp;Delivery&nbsp;(CI/CD)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">clude&nbsp;Continuous&nbsp;Integration&nbsp;and&nbsp;Continuous&nbsp;Delivery&nbsp;(CI/CD)</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;Lambda&nbsp;Functions,&nbsp;Azure&nbsp;AD,&nbsp;etc.&nbsp;They&nbsp;may&nbsp;also&nbsp;include&nbsp;sec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;Lambda&nbsp;Functions,&nbsp;Azure&nbsp;AD,&nbsp;etc.&nbsp;They&nbsp;may&nbsp;also&nbsp;include&nbsp;sec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">urity&nbsp;services,&nbsp;such&nbsp;as&nbsp;AWS&nbsp;GuardDuty&nbsp;and&nbsp;Microsoft&nbsp;Defender</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">urity&nbsp;services,&nbsp;such&nbsp;as&nbsp;AWS&nbsp;GuardDuty&nbsp;and&nbsp;Microsoft&nbsp;Defender</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;for&nbsp;Cloud,&nbsp;and&nbsp;logging&nbsp;services,&nbsp;such&nbsp;as&nbsp;AWS&nbsp;CloudTrail&nbsp;and</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;for&nbsp;Cloud,&nbsp;and&nbsp;logging&nbsp;services,&nbsp;such&nbsp;as&nbsp;AWS&nbsp;CloudTrail&nbsp;and</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Google&nbsp;Cloud&nbsp;Audit&nbsp;Logs.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;discov</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Google&nbsp;Cloud&nbsp;Audit&nbsp;Logs.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;discov</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;information&nbsp;about&nbsp;the&nbsp;services&nbsp;enabled&nbsp;throughout&nbsp;the&nbsp;env</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;information&nbsp;about&nbsp;the&nbsp;services&nbsp;enabled&nbsp;throughout&nbsp;the&nbsp;env</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironment.&nbsp;Azure&nbsp;tools&nbsp;and&nbsp;APIs,&nbsp;such&nbsp;as&nbsp;the&nbsp;Azure&nbsp;AD&nbsp;Graph&nbsp;A</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironment.&nbsp;Azure&nbsp;tools&nbsp;and&nbsp;APIs,&nbsp;such&nbsp;as&nbsp;the&nbsp;Azure&nbsp;AD&nbsp;Graph&nbsp;A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">PI&nbsp;and&nbsp;Azure&nbsp;Resource&nbsp;Manager&nbsp;API,&nbsp;can&nbsp;enumerate&nbsp;resources&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">PI&nbsp;and&nbsp;Azure&nbsp;Resource&nbsp;Manager&nbsp;API,&nbsp;can&nbsp;enumerate&nbsp;resources&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nd&nbsp;services,&nbsp;including&nbsp;applications,&nbsp;management&nbsp;groups,&nbsp;reso</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nd&nbsp;services,&nbsp;including&nbsp;applications,&nbsp;management&nbsp;groups,&nbsp;reso</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">urces&nbsp;and&nbsp;policy&nbsp;definitions,&nbsp;and&nbsp;their&nbsp;relationships&nbsp;that&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">urces&nbsp;and&nbsp;policy&nbsp;definitions,&nbsp;and&nbsp;their&nbsp;relationships&nbsp;that&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re&nbsp;accessible&nbsp;by&nbsp;an&nbsp;identity.(Citation:&nbsp;Azure&nbsp;-&nbsp;Resource&nbsp;Man</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re&nbsp;accessible&nbsp;by&nbsp;an&nbsp;identity.(Citation:&nbsp;Azure&nbsp;-&nbsp;Resource&nbsp;Man</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ager&nbsp;API)(Citation:&nbsp;Azure&nbsp;AD&nbsp;Graph&nbsp;API)&nbsp;&nbsp;For&nbsp;example,&nbsp;Storms</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ager&nbsp;API)(Citation:&nbsp;Azure&nbsp;AD&nbsp;Graph&nbsp;API)&nbsp;&nbsp;For&nbsp;example,&nbsp;Storms</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">potter&nbsp;is&nbsp;an&nbsp;open&nbsp;source&nbsp;tool&nbsp;for&nbsp;enumerating&nbsp;and&nbsp;constructi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">potter&nbsp;is&nbsp;an&nbsp;open&nbsp;source&nbsp;tool&nbsp;for&nbsp;enumerating&nbsp;and&nbsp;constructi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;a&nbsp;graph&nbsp;for&nbsp;Azure&nbsp;resources&nbsp;and&nbsp;services,&nbsp;and&nbsp;Pacu&nbsp;is&nbsp;an&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;a&nbsp;graph&nbsp;for&nbsp;Azure&nbsp;resources&nbsp;and&nbsp;services,&nbsp;and&nbsp;Pacu&nbsp;is&nbsp;an&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">open&nbsp;source&nbsp;AWS&nbsp;exploitation&nbsp;framework&nbsp;that&nbsp;supports&nbsp;several</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">open&nbsp;source&nbsp;AWS&nbsp;exploitation&nbsp;framework&nbsp;that&nbsp;supports&nbsp;several</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;methods&nbsp;for&nbsp;discovering&nbsp;cloud&nbsp;services.(Citation:&nbsp;Azure&nbsp;-&nbsp;S</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;methods&nbsp;for&nbsp;discovering&nbsp;cloud&nbsp;services.(Citation:&nbsp;Azure&nbsp;-&nbsp;S</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tormspotter)(Citation:&nbsp;GitHub&nbsp;Pacu)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;the</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tormspotter)(Citation:&nbsp;GitHub&nbsp;Pacu)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;information&nbsp;gained&nbsp;to&nbsp;shape&nbsp;follow-on&nbsp;behaviors,&nbsp;such&nbsp;as&nbsp;ta</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;information&nbsp;gained&nbsp;to&nbsp;shape&nbsp;follow-on&nbsp;behaviors,&nbsp;such&nbsp;as&nbsp;ta</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rgeting&nbsp;data&nbsp;or&nbsp;credentials&nbsp;from&nbsp;enumerated&nbsp;services&nbsp;or&nbsp;evad</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rgeting&nbsp;data&nbsp;or&nbsp;credentials&nbsp;from&nbsp;enumerated&nbsp;services&nbsp;or&nbsp;evad</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;identified&nbsp;defenses&nbsp;through&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;Tools](ht</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;identified&nbsp;defenses&nbsp;through&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;Tools](ht</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tps://attack.mitre.org/techniques/T1562/001)&nbsp;or&nbsp;[Disable&nbsp;Clo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tps://attack.mitre.org/techniques/T1562/001)&nbsp;or&nbsp;[Disable&nbsp;<span class=\"diff_add\">or&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ud&nbsp;Logs](https://attack.mitre.org/techniques/T1562/008).</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Modify&nbsp;</span>Cloud&nbsp;Logs](https://attack.mitre.org/techniques/T1562</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/008).</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to11__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to11__0\"><a href=\"#difflib_chg_to11__top\">t</a></td><td class=\"diff_header\" id=\"from11_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;attempt&nbsp;to&nbsp;enumerate&nbsp;the&nbsp;cloud&nbsp;services&nbsp;run</td><td class=\"diff_next\"><a href=\"#difflib_chg_to11__top\">t</a></td><td class=\"diff_header\" id=\"to11_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;attempt&nbsp;to&nbsp;enumerate&nbsp;the&nbsp;cloud&nbsp;services&nbsp;run</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ning&nbsp;on&nbsp;a&nbsp;system&nbsp;after&nbsp;gaining&nbsp;access.&nbsp;These&nbsp;methods&nbsp;can&nbsp;dif</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ning&nbsp;on&nbsp;a&nbsp;system&nbsp;after&nbsp;gaining&nbsp;access.&nbsp;These&nbsp;methods&nbsp;can&nbsp;dif</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fer&nbsp;from&nbsp;platform-as-a-service&nbsp;(PaaS),&nbsp;to&nbsp;infrastructure-as-</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fer&nbsp;from&nbsp;platform-as-a-service&nbsp;(PaaS),&nbsp;to&nbsp;infrastructure-as-</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">a-service&nbsp;(IaaS),&nbsp;or&nbsp;software-as-a-service&nbsp;(SaaS).&nbsp;Many&nbsp;serv</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">a-service&nbsp;(IaaS),&nbsp;or&nbsp;software-as-a-service&nbsp;(SaaS).&nbsp;Many&nbsp;serv</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ices&nbsp;exist&nbsp;throughout&nbsp;the&nbsp;various&nbsp;cloud&nbsp;providers&nbsp;and&nbsp;can&nbsp;in</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ices&nbsp;exist&nbsp;throughout&nbsp;the&nbsp;various&nbsp;cloud&nbsp;providers&nbsp;and&nbsp;can&nbsp;in</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">clude&nbsp;Continuous&nbsp;Integration&nbsp;and&nbsp;Continuous&nbsp;Delivery&nbsp;(CI/CD)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">clude&nbsp;Continuous&nbsp;Integration&nbsp;and&nbsp;Continuous&nbsp;Delivery&nbsp;(CI/CD)</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;Lambda&nbsp;Functions,&nbsp;Azure&nbsp;AD,&nbsp;etc.&nbsp;They&nbsp;may&nbsp;also&nbsp;include&nbsp;sec</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;Lambda&nbsp;Functions,&nbsp;Azure&nbsp;AD,&nbsp;etc.&nbsp;They&nbsp;may&nbsp;also&nbsp;include&nbsp;sec</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">urity&nbsp;services,&nbsp;such&nbsp;as&nbsp;AWS&nbsp;GuardDuty&nbsp;and&nbsp;Microsoft&nbsp;Defender</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">urity&nbsp;services,&nbsp;such&nbsp;as&nbsp;AWS&nbsp;GuardDuty&nbsp;and&nbsp;Microsoft&nbsp;Defender</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;for&nbsp;Cloud,&nbsp;and&nbsp;logging&nbsp;services,&nbsp;such&nbsp;as&nbsp;AWS&nbsp;CloudTrail&nbsp;and</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;for&nbsp;Cloud,&nbsp;and&nbsp;logging&nbsp;services,&nbsp;such&nbsp;as&nbsp;AWS&nbsp;CloudTrail&nbsp;and</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Google&nbsp;Cloud&nbsp;Audit&nbsp;Logs.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;discov</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Google&nbsp;Cloud&nbsp;Audit&nbsp;Logs.&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;attempt&nbsp;to&nbsp;discov</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;information&nbsp;about&nbsp;the&nbsp;services&nbsp;enabled&nbsp;throughout&nbsp;the&nbsp;env</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">er&nbsp;information&nbsp;about&nbsp;the&nbsp;services&nbsp;enabled&nbsp;throughout&nbsp;the&nbsp;env</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironment.&nbsp;Azure&nbsp;tools&nbsp;and&nbsp;APIs,&nbsp;such&nbsp;as&nbsp;the&nbsp;Azure&nbsp;AD&nbsp;Graph&nbsp;A</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ironment.&nbsp;Azure&nbsp;tools&nbsp;and&nbsp;APIs,&nbsp;such&nbsp;as&nbsp;the&nbsp;Azure&nbsp;AD&nbsp;Graph&nbsp;A</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">PI&nbsp;and&nbsp;Azure&nbsp;Resource&nbsp;Manager&nbsp;API,&nbsp;can&nbsp;enumerate&nbsp;resources&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">PI&nbsp;and&nbsp;Azure&nbsp;Resource&nbsp;Manager&nbsp;API,&nbsp;can&nbsp;enumerate&nbsp;resources&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nd&nbsp;services,&nbsp;including&nbsp;applications,&nbsp;management&nbsp;groups,&nbsp;reso</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nd&nbsp;services,&nbsp;including&nbsp;applications,&nbsp;management&nbsp;groups,&nbsp;reso</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">urces&nbsp;and&nbsp;policy&nbsp;definitions,&nbsp;and&nbsp;their&nbsp;relationships&nbsp;that&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">urces&nbsp;and&nbsp;policy&nbsp;definitions,&nbsp;and&nbsp;their&nbsp;relationships&nbsp;that&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re&nbsp;accessible&nbsp;by&nbsp;an&nbsp;identity.(Citation:&nbsp;Azure&nbsp;-&nbsp;Resource&nbsp;Man</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re&nbsp;accessible&nbsp;by&nbsp;an&nbsp;identity.(Citation:&nbsp;Azure&nbsp;-&nbsp;Resource&nbsp;Man</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ager&nbsp;API)(Citation:&nbsp;Azure&nbsp;AD&nbsp;Graph&nbsp;API)&nbsp;&nbsp;For&nbsp;example,&nbsp;Storms</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ager&nbsp;API)(Citation:&nbsp;Azure&nbsp;AD&nbsp;Graph&nbsp;API)&nbsp;&nbsp;For&nbsp;example,&nbsp;Storms</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">potter&nbsp;is&nbsp;an&nbsp;open&nbsp;source&nbsp;tool&nbsp;for&nbsp;enumerating&nbsp;and&nbsp;constructi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">potter&nbsp;is&nbsp;an&nbsp;open&nbsp;source&nbsp;tool&nbsp;for&nbsp;enumerating&nbsp;and&nbsp;constructi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;a&nbsp;graph&nbsp;for&nbsp;Azure&nbsp;resources&nbsp;and&nbsp;services,&nbsp;and&nbsp;Pacu&nbsp;is&nbsp;an&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;a&nbsp;graph&nbsp;for&nbsp;Azure&nbsp;resources&nbsp;and&nbsp;services,&nbsp;and&nbsp;Pacu&nbsp;is&nbsp;an&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">open&nbsp;source&nbsp;AWS&nbsp;exploitation&nbsp;framework&nbsp;that&nbsp;supports&nbsp;several</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">open&nbsp;source&nbsp;AWS&nbsp;exploitation&nbsp;framework&nbsp;that&nbsp;supports&nbsp;several</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;methods&nbsp;for&nbsp;discovering&nbsp;cloud&nbsp;services.(Citation:&nbsp;Azure&nbsp;-&nbsp;S</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;methods&nbsp;for&nbsp;discovering&nbsp;cloud&nbsp;services.(Citation:&nbsp;Azure&nbsp;-&nbsp;S</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tormspotter)(Citation:&nbsp;GitHub&nbsp;Pacu)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;the</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tormspotter)(Citation:&nbsp;GitHub&nbsp;Pacu)&nbsp;&nbsp;Adversaries&nbsp;may&nbsp;use&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;information&nbsp;gained&nbsp;to&nbsp;shape&nbsp;follow-on&nbsp;behaviors,&nbsp;such&nbsp;as&nbsp;ta</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;information&nbsp;gained&nbsp;to&nbsp;shape&nbsp;follow-on&nbsp;behaviors,&nbsp;such&nbsp;as&nbsp;ta</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rgeting&nbsp;data&nbsp;or&nbsp;credentials&nbsp;from&nbsp;enumerated&nbsp;services&nbsp;or&nbsp;evad</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rgeting&nbsp;data&nbsp;or&nbsp;credentials&nbsp;from&nbsp;enumerated&nbsp;services&nbsp;or&nbsp;evad</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;identified&nbsp;defenses&nbsp;through&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;Tools](ht</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;identified&nbsp;defenses&nbsp;through&nbsp;[Disable&nbsp;or&nbsp;Modify&nbsp;Tools](ht</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tps://attack.mitre.org/techniques/T1562/001)&nbsp;or&nbsp;[Disable&nbsp;Clo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tps://attack.mitre.org/techniques/T1562/001)&nbsp;or&nbsp;[Disable&nbsp;<span class=\"diff_add\">or&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ud&nbsp;Logs](https://attack.mitre.org/techniques/T1562/008).</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Modify&nbsp;</span>Cloud&nbsp;Logs](https://attack.mitre.org/techniques/T1562</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">/008).</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [],
                         "new": [],
@@ -13787,7 +13787,7 @@
                     "x_mitre_version": "1.2",
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_attack_spec_version']\": \"3.1.0\", \"root['x_mitre_deprecated']\": false}, \"dictionary_item_removed\": {\"root['x_mitre_permissions_required']\": [\"User\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-03 20:19:01.074000+00:00\", \"old_value\": \"2021-07-28 01:26:51.971000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\\n\\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\\n\\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\\n\\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.\", \"old_value\": \"An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\\n\\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\\n\\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\\n\\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.\", \"diff\": \"--- \\n+++ \\n@@ -2,6 +2,6 @@\\n \\n Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\\n \\n-There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\\n+There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\\n \\n After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.\"}}}",
                     "previous_version": "1.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to33__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to33__0\"><a href=\"#difflib_chg_to33__top\">t</a></td><td class=\"diff_header\" id=\"from33_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;steal&nbsp;web&nbsp;application&nbsp;or&nbsp;service&nbsp;session&nbsp;co</td><td class=\"diff_next\"><a href=\"#difflib_chg_to33__top\">t</a></td><td class=\"diff_header\" id=\"to33_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;steal&nbsp;web&nbsp;application&nbsp;or&nbsp;service&nbsp;session&nbsp;co</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">okies&nbsp;and&nbsp;use&nbsp;them&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Int</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">okies&nbsp;and&nbsp;use&nbsp;them&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Int</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ernet&nbsp;services&nbsp;as&nbsp;an&nbsp;authenticated&nbsp;user&nbsp;without&nbsp;needing&nbsp;cred</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ernet&nbsp;services&nbsp;as&nbsp;an&nbsp;authenticated&nbsp;user&nbsp;without&nbsp;needing&nbsp;cred</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">entials.&nbsp;Web&nbsp;applications&nbsp;and&nbsp;services&nbsp;often&nbsp;use&nbsp;session&nbsp;coo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">entials.&nbsp;Web&nbsp;applications&nbsp;and&nbsp;services&nbsp;often&nbsp;use&nbsp;session&nbsp;coo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">kies&nbsp;as&nbsp;an&nbsp;authentication&nbsp;token&nbsp;after&nbsp;a&nbsp;user&nbsp;has&nbsp;authenticat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">kies&nbsp;as&nbsp;an&nbsp;authentication&nbsp;token&nbsp;after&nbsp;a&nbsp;user&nbsp;has&nbsp;authenticat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;to&nbsp;a&nbsp;website.&nbsp;&nbsp;Cookies&nbsp;are&nbsp;often&nbsp;valid&nbsp;for&nbsp;an&nbsp;extended&nbsp;pe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;to&nbsp;a&nbsp;website.&nbsp;&nbsp;Cookies&nbsp;are&nbsp;often&nbsp;valid&nbsp;for&nbsp;an&nbsp;extended&nbsp;pe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">riod&nbsp;of&nbsp;time,&nbsp;even&nbsp;if&nbsp;the&nbsp;web&nbsp;application&nbsp;is&nbsp;not&nbsp;actively&nbsp;us</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">riod&nbsp;of&nbsp;time,&nbsp;even&nbsp;if&nbsp;the&nbsp;web&nbsp;application&nbsp;is&nbsp;not&nbsp;actively&nbsp;us</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed.&nbsp;Cookies&nbsp;can&nbsp;be&nbsp;found&nbsp;on&nbsp;disk,&nbsp;in&nbsp;the&nbsp;process&nbsp;memory&nbsp;of&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed.&nbsp;Cookies&nbsp;can&nbsp;be&nbsp;found&nbsp;on&nbsp;disk,&nbsp;in&nbsp;the&nbsp;process&nbsp;memory&nbsp;of&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;browser,&nbsp;and&nbsp;in&nbsp;network&nbsp;traffic&nbsp;to&nbsp;remote&nbsp;systems.&nbsp;Additi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;browser,&nbsp;and&nbsp;in&nbsp;network&nbsp;traffic&nbsp;to&nbsp;remote&nbsp;systems.&nbsp;Additi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">onally,&nbsp;other&nbsp;applications&nbsp;on&nbsp;the&nbsp;targets&nbsp;machine&nbsp;might&nbsp;stor</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">onally,&nbsp;other&nbsp;applications&nbsp;on&nbsp;the&nbsp;targets&nbsp;machine&nbsp;might&nbsp;stor</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;sensitive&nbsp;authentication&nbsp;cookies&nbsp;in&nbsp;memory&nbsp;(e.g.&nbsp;apps&nbsp;whic</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;sensitive&nbsp;authentication&nbsp;cookies&nbsp;in&nbsp;memory&nbsp;(e.g.&nbsp;apps&nbsp;whic</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">h&nbsp;authenticate&nbsp;to&nbsp;cloud&nbsp;services).&nbsp;Session&nbsp;cookies&nbsp;can&nbsp;be&nbsp;us</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">h&nbsp;authenticate&nbsp;to&nbsp;cloud&nbsp;services).&nbsp;Session&nbsp;cookies&nbsp;can&nbsp;be&nbsp;us</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;to&nbsp;bypasses&nbsp;some&nbsp;multi-factor&nbsp;authentication&nbsp;protocols.(C</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;to&nbsp;bypasses&nbsp;some&nbsp;multi-factor&nbsp;authentication&nbsp;protocols.(C</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;Pass&nbsp;The&nbsp;Cookie)&nbsp;&nbsp;There&nbsp;are&nbsp;several&nbsp;examples&nbsp;of&nbsp;mal</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;Pass&nbsp;The&nbsp;Cookie)&nbsp;&nbsp;There&nbsp;are&nbsp;several&nbsp;examples&nbsp;of&nbsp;mal</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ware&nbsp;targeting&nbsp;cookies&nbsp;from&nbsp;web&nbsp;browsers&nbsp;on&nbsp;the&nbsp;local&nbsp;system</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ware&nbsp;targeting&nbsp;cookies&nbsp;from&nbsp;web&nbsp;browsers&nbsp;on&nbsp;the&nbsp;local&nbsp;system</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.(Citation:&nbsp;Kaspersky&nbsp;TajMahal&nbsp;April&nbsp;2019)(Citation:&nbsp;Unit&nbsp;42</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.(Citation:&nbsp;Kaspersky&nbsp;TajMahal&nbsp;April&nbsp;2019)(Citation:&nbsp;Unit&nbsp;42</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Mac&nbsp;Crypto&nbsp;Cookies&nbsp;January&nbsp;2019)&nbsp;There&nbsp;are&nbsp;also&nbsp;open&nbsp;source</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Mac&nbsp;Crypto&nbsp;Cookies&nbsp;January&nbsp;2019)&nbsp;There&nbsp;are&nbsp;also&nbsp;open&nbsp;source</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;frameworks&nbsp;such&nbsp;as&nbsp;Evilginx<span class=\"diff_sub\">&nbsp;</span>2<span class=\"diff_chg\">&nbsp;and&nbsp;</span>Muraena<span class=\"diff_chg\">&nbsp;that&nbsp;can&nbsp;gather&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;frameworks&nbsp;such&nbsp;as&nbsp;<span class=\"diff_add\">`</span>Evilginx2<span class=\"diff_chg\">`&nbsp;and&nbsp;`</span>Muraena<span class=\"diff_chg\">`&nbsp;that&nbsp;can&nbsp;gathe</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ession&nbsp;cookies&nbsp;through&nbsp;a&nbsp;malicious</span>&nbsp;proxy&nbsp;(ex:&nbsp;[Adversary-in-</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">r&nbsp;session&nbsp;cookies&nbsp;through&nbsp;a&nbsp;malicious</span>&nbsp;proxy&nbsp;(ex:&nbsp;[Adversary-</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">the-Middle](https://attack.mitre.org/techniques/T1557))&nbsp;that</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in-the-Middle](https://attack.mitre.org/techniques/T1557))&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;can&nbsp;be&nbsp;set&nbsp;up&nbsp;by&nbsp;an&nbsp;adversary&nbsp;and&nbsp;used&nbsp;in&nbsp;phishing&nbsp;campaign</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hat&nbsp;can&nbsp;be&nbsp;set&nbsp;up&nbsp;by&nbsp;an&nbsp;adversary&nbsp;and&nbsp;used&nbsp;in&nbsp;phishing&nbsp;campa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.(Citation:&nbsp;Github&nbsp;evilginx2)(Citation:&nbsp;GitHub&nbsp;Mauraena)&nbsp;&nbsp;A</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">igns.(Citation:&nbsp;Github&nbsp;evilginx2)(Citation:&nbsp;GitHub&nbsp;Mauraena)</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fter&nbsp;an&nbsp;adversary&nbsp;acquires&nbsp;a&nbsp;valid&nbsp;cookie,&nbsp;they&nbsp;can&nbsp;then&nbsp;per</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;After&nbsp;an&nbsp;adversary&nbsp;acquires&nbsp;a&nbsp;valid&nbsp;cookie,&nbsp;they&nbsp;can&nbsp;then&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">form&nbsp;a&nbsp;[Web&nbsp;Session&nbsp;Cookie](https://attack.mitre.org/techniq</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">perform&nbsp;a&nbsp;[Web&nbsp;Session&nbsp;Cookie](https://attack.mitre.org/tech</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ues/T1550/004)&nbsp;technique&nbsp;to&nbsp;login&nbsp;to&nbsp;the&nbsp;corresponding&nbsp;web&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">niques/T1550/004)&nbsp;technique&nbsp;to&nbsp;login&nbsp;to&nbsp;the&nbsp;corresponding&nbsp;we</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">pplication.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">b&nbsp;application.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to37__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to37__0\"><a href=\"#difflib_chg_to37__top\">t</a></td><td class=\"diff_header\" id=\"from37_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;steal&nbsp;web&nbsp;application&nbsp;or&nbsp;service&nbsp;session&nbsp;co</td><td class=\"diff_next\"><a href=\"#difflib_chg_to37__top\">t</a></td><td class=\"diff_header\" id=\"to37_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;may&nbsp;steal&nbsp;web&nbsp;application&nbsp;or&nbsp;service&nbsp;session&nbsp;co</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">okies&nbsp;and&nbsp;use&nbsp;them&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Int</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">okies&nbsp;and&nbsp;use&nbsp;them&nbsp;to&nbsp;gain&nbsp;access&nbsp;to&nbsp;web&nbsp;applications&nbsp;or&nbsp;Int</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ernet&nbsp;services&nbsp;as&nbsp;an&nbsp;authenticated&nbsp;user&nbsp;without&nbsp;needing&nbsp;cred</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ernet&nbsp;services&nbsp;as&nbsp;an&nbsp;authenticated&nbsp;user&nbsp;without&nbsp;needing&nbsp;cred</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">entials.&nbsp;Web&nbsp;applications&nbsp;and&nbsp;services&nbsp;often&nbsp;use&nbsp;session&nbsp;coo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">entials.&nbsp;Web&nbsp;applications&nbsp;and&nbsp;services&nbsp;often&nbsp;use&nbsp;session&nbsp;coo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">kies&nbsp;as&nbsp;an&nbsp;authentication&nbsp;token&nbsp;after&nbsp;a&nbsp;user&nbsp;has&nbsp;authenticat</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">kies&nbsp;as&nbsp;an&nbsp;authentication&nbsp;token&nbsp;after&nbsp;a&nbsp;user&nbsp;has&nbsp;authenticat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;to&nbsp;a&nbsp;website.&nbsp;&nbsp;Cookies&nbsp;are&nbsp;often&nbsp;valid&nbsp;for&nbsp;an&nbsp;extended&nbsp;pe</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;to&nbsp;a&nbsp;website.&nbsp;&nbsp;Cookies&nbsp;are&nbsp;often&nbsp;valid&nbsp;for&nbsp;an&nbsp;extended&nbsp;pe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">riod&nbsp;of&nbsp;time,&nbsp;even&nbsp;if&nbsp;the&nbsp;web&nbsp;application&nbsp;is&nbsp;not&nbsp;actively&nbsp;us</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">riod&nbsp;of&nbsp;time,&nbsp;even&nbsp;if&nbsp;the&nbsp;web&nbsp;application&nbsp;is&nbsp;not&nbsp;actively&nbsp;us</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed.&nbsp;Cookies&nbsp;can&nbsp;be&nbsp;found&nbsp;on&nbsp;disk,&nbsp;in&nbsp;the&nbsp;process&nbsp;memory&nbsp;of&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed.&nbsp;Cookies&nbsp;can&nbsp;be&nbsp;found&nbsp;on&nbsp;disk,&nbsp;in&nbsp;the&nbsp;process&nbsp;memory&nbsp;of&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;browser,&nbsp;and&nbsp;in&nbsp;network&nbsp;traffic&nbsp;to&nbsp;remote&nbsp;systems.&nbsp;Additi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">he&nbsp;browser,&nbsp;and&nbsp;in&nbsp;network&nbsp;traffic&nbsp;to&nbsp;remote&nbsp;systems.&nbsp;Additi</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">onally,&nbsp;other&nbsp;applications&nbsp;on&nbsp;the&nbsp;targets&nbsp;machine&nbsp;might&nbsp;stor</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">onally,&nbsp;other&nbsp;applications&nbsp;on&nbsp;the&nbsp;targets&nbsp;machine&nbsp;might&nbsp;stor</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;sensitive&nbsp;authentication&nbsp;cookies&nbsp;in&nbsp;memory&nbsp;(e.g.&nbsp;apps&nbsp;whic</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;sensitive&nbsp;authentication&nbsp;cookies&nbsp;in&nbsp;memory&nbsp;(e.g.&nbsp;apps&nbsp;whic</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">h&nbsp;authenticate&nbsp;to&nbsp;cloud&nbsp;services).&nbsp;Session&nbsp;cookies&nbsp;can&nbsp;be&nbsp;us</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">h&nbsp;authenticate&nbsp;to&nbsp;cloud&nbsp;services).&nbsp;Session&nbsp;cookies&nbsp;can&nbsp;be&nbsp;us</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;to&nbsp;bypasses&nbsp;some&nbsp;multi-factor&nbsp;authentication&nbsp;protocols.(C</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ed&nbsp;to&nbsp;bypasses&nbsp;some&nbsp;multi-factor&nbsp;authentication&nbsp;protocols.(C</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;Pass&nbsp;The&nbsp;Cookie)&nbsp;&nbsp;There&nbsp;are&nbsp;several&nbsp;examples&nbsp;of&nbsp;mal</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">itation:&nbsp;Pass&nbsp;The&nbsp;Cookie)&nbsp;&nbsp;There&nbsp;are&nbsp;several&nbsp;examples&nbsp;of&nbsp;mal</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ware&nbsp;targeting&nbsp;cookies&nbsp;from&nbsp;web&nbsp;browsers&nbsp;on&nbsp;the&nbsp;local&nbsp;system</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ware&nbsp;targeting&nbsp;cookies&nbsp;from&nbsp;web&nbsp;browsers&nbsp;on&nbsp;the&nbsp;local&nbsp;system</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.(Citation:&nbsp;Kaspersky&nbsp;TajMahal&nbsp;April&nbsp;2019)(Citation:&nbsp;Unit&nbsp;42</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.(Citation:&nbsp;Kaspersky&nbsp;TajMahal&nbsp;April&nbsp;2019)(Citation:&nbsp;Unit&nbsp;42</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Mac&nbsp;Crypto&nbsp;Cookies&nbsp;January&nbsp;2019)&nbsp;There&nbsp;are&nbsp;also&nbsp;open&nbsp;source</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Mac&nbsp;Crypto&nbsp;Cookies&nbsp;January&nbsp;2019)&nbsp;There&nbsp;are&nbsp;also&nbsp;open&nbsp;source</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;frameworks&nbsp;such&nbsp;as&nbsp;Evilginx<span class=\"diff_sub\">&nbsp;</span>2<span class=\"diff_chg\">&nbsp;and&nbsp;</span>Muraena<span class=\"diff_chg\">&nbsp;that&nbsp;can&nbsp;gather&nbsp;s</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;frameworks&nbsp;such&nbsp;as&nbsp;<span class=\"diff_add\">`</span>Evilginx2<span class=\"diff_chg\">`&nbsp;and&nbsp;`</span>Muraena<span class=\"diff_chg\">`&nbsp;that&nbsp;can&nbsp;gathe</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ession&nbsp;cookies&nbsp;through&nbsp;a&nbsp;malicious</span>&nbsp;proxy&nbsp;(ex:&nbsp;[Adversary-in-</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">r&nbsp;session&nbsp;cookies&nbsp;through&nbsp;a&nbsp;malicious</span>&nbsp;proxy&nbsp;(ex:&nbsp;[Adversary-</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">the-Middle](https://attack.mitre.org/techniques/T1557))&nbsp;that</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in-the-Middle](https://attack.mitre.org/techniques/T1557))&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;can&nbsp;be&nbsp;set&nbsp;up&nbsp;by&nbsp;an&nbsp;adversary&nbsp;and&nbsp;used&nbsp;in&nbsp;phishing&nbsp;campaign</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hat&nbsp;can&nbsp;be&nbsp;set&nbsp;up&nbsp;by&nbsp;an&nbsp;adversary&nbsp;and&nbsp;used&nbsp;in&nbsp;phishing&nbsp;campa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s.(Citation:&nbsp;Github&nbsp;evilginx2)(Citation:&nbsp;GitHub&nbsp;Mauraena)&nbsp;&nbsp;A</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">igns.(Citation:&nbsp;Github&nbsp;evilginx2)(Citation:&nbsp;GitHub&nbsp;Mauraena)</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">fter&nbsp;an&nbsp;adversary&nbsp;acquires&nbsp;a&nbsp;valid&nbsp;cookie,&nbsp;they&nbsp;can&nbsp;then&nbsp;per</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;&nbsp;After&nbsp;an&nbsp;adversary&nbsp;acquires&nbsp;a&nbsp;valid&nbsp;cookie,&nbsp;they&nbsp;can&nbsp;then&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">form&nbsp;a&nbsp;[Web&nbsp;Session&nbsp;Cookie](https://attack.mitre.org/techniq</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">perform&nbsp;a&nbsp;[Web&nbsp;Session&nbsp;Cookie](https://attack.mitre.org/tech</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ues/T1550/004)&nbsp;technique&nbsp;to&nbsp;login&nbsp;to&nbsp;the&nbsp;corresponding&nbsp;web&nbsp;a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">niques/T1550/004)&nbsp;technique&nbsp;to&nbsp;login&nbsp;to&nbsp;the&nbsp;corresponding&nbsp;we</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">pplication.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">b&nbsp;application.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1017: User Training",
@@ -14844,7 +14844,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-12 20:21:08.235000+00:00\", \"old_value\": \"2022-01-14 21:53:00.543000+00:00\"}, \"root['description']\": {\"new_value\": \"[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)\", \"old_value\": \"[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor with several variants that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Unit42 OceanLotus 2017\", \"description\": \"Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.\", \"url\": \"https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/\"}}}",
                     "previous_version": "2.2",
                     "version_change": "2.2 \u2192 3.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to42__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to42__0\"><a href=\"#difflib_chg_to42__top\">t</a></td><td class=\"diff_header\" id=\"from42_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352)&nbsp;</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to42__top\">t</a></td><td class=\"diff_header\" id=\"to42_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">is&nbsp;a&nbsp;MacOS&nbsp;backdoor&nbsp;with&nbsp;several&nbsp;variants&nbsp;that&nbsp;has&nbsp;been&nbsp;used</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">is&nbsp;a&nbsp;macOS&nbsp;backdoor&nbsp;used&nbsp;by&nbsp;[APT32](https://attack.mitre.org</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;by&nbsp;[APT32](https://attack.mitre.org/groups/G0050).(Citation</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">/groups/G0050).&nbsp;First&nbsp;discovered&nbsp;in&nbsp;2015,&nbsp;[APT32](https://at</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">:&nbsp;TrendMicro&nbsp;MacOS&nbsp;April&nbsp;2018)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;MacOS&nbsp;B</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tack.mitre.org/groups/G0050)&nbsp;has&nbsp;continued&nbsp;to&nbsp;make&nbsp;improveme</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ackdoor&nbsp;November&nbsp;2020)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nts&nbsp;using&nbsp;a&nbsp;plugin&nbsp;architecture&nbsp;to&nbsp;extend&nbsp;capabilities,&nbsp;spec</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ifically&nbsp;using&nbsp;`.dylib`&nbsp;files.&nbsp;[OSX_OCEANLOTUS.D](https://at</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tack.mitre.org/software/S0352)&nbsp;can&nbsp;also&nbsp;determine&nbsp;it's&nbsp;permi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ssion&nbsp;level&nbsp;and&nbsp;execute&nbsp;according&nbsp;to&nbsp;access&nbsp;type&nbsp;(`root`&nbsp;or&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">`user`).(Citation:&nbsp;Unit42&nbsp;OceanLotus&nbsp;2017)(Citation:&nbsp;TrendMi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cro&nbsp;MacOS&nbsp;April&nbsp;2018)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;MacOS&nbsp;Backdoor&nbsp;N</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ovember&nbsp;2020)</span></td></tr>\n        </tbody>\n    </table>"
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to41__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to41__0\"><a href=\"#difflib_chg_to41__top\">t</a></td><td class=\"diff_header\" id=\"from41_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352)&nbsp;</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to41__top\">t</a></td><td class=\"diff_header\" id=\"to41_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352)&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">is&nbsp;a&nbsp;MacOS&nbsp;backdoor&nbsp;with&nbsp;several&nbsp;variants&nbsp;that&nbsp;has&nbsp;been&nbsp;used</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">is&nbsp;a&nbsp;macOS&nbsp;backdoor&nbsp;used&nbsp;by&nbsp;[APT32](https://attack.mitre.org</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;by&nbsp;[APT32](https://attack.mitre.org/groups/G0050).(Citation</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">/groups/G0050).&nbsp;First&nbsp;discovered&nbsp;in&nbsp;2015,&nbsp;[APT32](https://at</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">:&nbsp;TrendMicro&nbsp;MacOS&nbsp;April&nbsp;2018)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;MacOS&nbsp;B</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tack.mitre.org/groups/G0050)&nbsp;has&nbsp;continued&nbsp;to&nbsp;make&nbsp;improveme</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ackdoor&nbsp;November&nbsp;2020)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nts&nbsp;using&nbsp;a&nbsp;plugin&nbsp;architecture&nbsp;to&nbsp;extend&nbsp;capabilities,&nbsp;spec</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ifically&nbsp;using&nbsp;`.dylib`&nbsp;files.&nbsp;[OSX_OCEANLOTUS.D](https://at</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tack.mitre.org/software/S0352)&nbsp;can&nbsp;also&nbsp;determine&nbsp;it's&nbsp;permi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ssion&nbsp;level&nbsp;and&nbsp;execute&nbsp;according&nbsp;to&nbsp;access&nbsp;type&nbsp;(`root`&nbsp;or&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">`user`).(Citation:&nbsp;Unit42&nbsp;OceanLotus&nbsp;2017)(Citation:&nbsp;TrendMi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cro&nbsp;MacOS&nbsp;April&nbsp;2018)(Citation:&nbsp;Trend&nbsp;Micro&nbsp;MacOS&nbsp;Backdoor&nbsp;N</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ovember&nbsp;2020)</span></td></tr>\n        </tbody>\n    </table>"
                 },
                 {
                     "type": "malware",
@@ -17357,7 +17357,7 @@
                     "x_mitre_version": "1.0",
                     "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)\", \"old_value\": \"[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [Ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)\"}}}",
                     "previous_version": "1.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to41__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to41__0\"><a href=\"#difflib_chg_to41__top\">t</a></td><td class=\"diff_header\" id=\"from41_1\">1</td><td nowrap=\"nowrap\">[Doki](https://attack.mitre.org/software/S0600)&nbsp;is&nbsp;a&nbsp;backdoo</td><td class=\"diff_next\"><a href=\"#difflib_chg_to41__top\">t</a></td><td class=\"diff_header\" id=\"to41_1\">1</td><td nowrap=\"nowrap\">[Doki](https://attack.mitre.org/software/S0600)&nbsp;is&nbsp;a&nbsp;backdoo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;that&nbsp;uses&nbsp;a&nbsp;unique&nbsp;Dogecoin-based&nbsp;Domain&nbsp;Generation&nbsp;Algori</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;that&nbsp;uses&nbsp;a&nbsp;unique&nbsp;Dogecoin-based&nbsp;Domain&nbsp;Generation&nbsp;Algori</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">thm&nbsp;and&nbsp;was&nbsp;first&nbsp;observed&nbsp;in&nbsp;July&nbsp;2020.&nbsp;[Doki](https://atta</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">thm&nbsp;and&nbsp;was&nbsp;first&nbsp;observed&nbsp;in&nbsp;July&nbsp;2020.&nbsp;[Doki](https://atta</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ck.mitre.org/software/S0600)&nbsp;was&nbsp;used&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;th</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ck.mitre.org/software/S0600)&nbsp;was&nbsp;used&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;th</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;[<span class=\"diff_chg\">N</span>grok](https://attack.mitre.org/software/S0508)&nbsp;Mining&nbsp;Bo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;[<span class=\"diff_chg\">n</span>grok](https://attack.mitre.org/software/S0508)&nbsp;Mining&nbsp;Bo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tnet&nbsp;in&nbsp;a&nbsp;campaign&nbsp;that&nbsp;targeted&nbsp;Docker&nbsp;servers&nbsp;in&nbsp;cloud&nbsp;pla</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tnet&nbsp;in&nbsp;a&nbsp;campaign&nbsp;that&nbsp;targeted&nbsp;Docker&nbsp;servers&nbsp;in&nbsp;cloud&nbsp;pla</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tforms.&nbsp;(Citation:&nbsp;Intezer&nbsp;Doki&nbsp;July&nbsp;20)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tforms.&nbsp;(Citation:&nbsp;Intezer&nbsp;Doki&nbsp;July&nbsp;20)</td></tr>\n        </tbody>\n    </table>"
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to42__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to42__0\"><a href=\"#difflib_chg_to42__top\">t</a></td><td class=\"diff_header\" id=\"from42_1\">1</td><td nowrap=\"nowrap\">[Doki](https://attack.mitre.org/software/S0600)&nbsp;is&nbsp;a&nbsp;backdoo</td><td class=\"diff_next\"><a href=\"#difflib_chg_to42__top\">t</a></td><td class=\"diff_header\" id=\"to42_1\">1</td><td nowrap=\"nowrap\">[Doki](https://attack.mitre.org/software/S0600)&nbsp;is&nbsp;a&nbsp;backdoo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;that&nbsp;uses&nbsp;a&nbsp;unique&nbsp;Dogecoin-based&nbsp;Domain&nbsp;Generation&nbsp;Algori</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">r&nbsp;that&nbsp;uses&nbsp;a&nbsp;unique&nbsp;Dogecoin-based&nbsp;Domain&nbsp;Generation&nbsp;Algori</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">thm&nbsp;and&nbsp;was&nbsp;first&nbsp;observed&nbsp;in&nbsp;July&nbsp;2020.&nbsp;[Doki](https://atta</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">thm&nbsp;and&nbsp;was&nbsp;first&nbsp;observed&nbsp;in&nbsp;July&nbsp;2020.&nbsp;[Doki](https://atta</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ck.mitre.org/software/S0600)&nbsp;was&nbsp;used&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;th</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ck.mitre.org/software/S0600)&nbsp;was&nbsp;used&nbsp;in&nbsp;conjunction&nbsp;with&nbsp;th</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;[<span class=\"diff_chg\">N</span>grok](https://attack.mitre.org/software/S0508)&nbsp;Mining&nbsp;Bo</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;[<span class=\"diff_chg\">n</span>grok](https://attack.mitre.org/software/S0508)&nbsp;Mining&nbsp;Bo</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tnet&nbsp;in&nbsp;a&nbsp;campaign&nbsp;that&nbsp;targeted&nbsp;Docker&nbsp;servers&nbsp;in&nbsp;cloud&nbsp;pla</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tnet&nbsp;in&nbsp;a&nbsp;campaign&nbsp;that&nbsp;targeted&nbsp;Docker&nbsp;servers&nbsp;in&nbsp;cloud&nbsp;pla</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tforms.&nbsp;(Citation:&nbsp;Intezer&nbsp;Doki&nbsp;July&nbsp;20)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tforms.&nbsp;(Citation:&nbsp;Intezer&nbsp;Doki&nbsp;July&nbsp;20)</td></tr>\n        </tbody>\n    </table>"
                 },
                 {
                     "type": "malware",
@@ -18392,7 +18392,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-04 18:10:49.054000+00:00\", \"old_value\": \"2023-03-22 03:51:04.185000+00:00\"}, \"root['description']\": {\"new_value\": \"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)\", \"old_value\": \"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"Mandiant FIN7 Apr 2022\", \"description\": \"Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.\", \"url\": \"https://www.mandiant.com/resources/evolution-of-fin7\"}}}",
                     "previous_version": "2.2",
                     "version_change": "2.2 \u2192 3.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to44__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to44__0\"><a href=\"#difflib_chg_to44__top\">t</a></td><td class=\"diff_header\" id=\"from44_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to44__top\">t</a></td><td class=\"diff_header\" id=\"to44_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013&nbsp;pr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013.&nbsp;[</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">imarily&nbsp;targeting&nbsp;the&nbsp;U.S.&nbsp;retail,&nbsp;restaurant,&nbsp;and&nbsp;hospitali</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">FIN7](https://attack.mitre.org/groups/G0046)&nbsp;has&nbsp;primarily&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ty&nbsp;sectors,&nbsp;often&nbsp;using&nbsp;point-of-sale&nbsp;malware.&nbsp;A&nbsp;portion&nbsp;of&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">argeted&nbsp;the&nbsp;retail,&nbsp;restaurant,&nbsp;hospitality,&nbsp;software,&nbsp;consu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;was&nbsp;run&nbsp;out&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lting,&nbsp;financial&nbsp;services,&nbsp;medical&nbsp;equipment,&nbsp;cloud&nbsp;services</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;front&nbsp;company&nbsp;called&nbsp;Combi&nbsp;Security.&nbsp;Since&nbsp;2020&nbsp;[FIN7](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">,&nbsp;media,&nbsp;food&nbsp;and&nbsp;beverage,&nbsp;transportation,&nbsp;and&nbsp;utilities&nbsp;in</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/groups/G0046)&nbsp;shifted&nbsp;operations&nbsp;to&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dustries&nbsp;in&nbsp;the&nbsp;U.S.&nbsp;A&nbsp;portion&nbsp;of&nbsp;[FIN7](https://attack.mitr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;big&nbsp;game&nbsp;hunting&nbsp;(BGH)&nbsp;approach&nbsp;including&nbsp;use&nbsp;of&nbsp;[REvil](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e.org/groups/G0046)&nbsp;was&nbsp;run&nbsp;out&nbsp;of&nbsp;a&nbsp;front&nbsp;company&nbsp;called&nbsp;Co</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/software/S0496)&nbsp;ransomware&nbsp;and&nbsp;their&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mbi&nbsp;Security&nbsp;and&nbsp;often&nbsp;used&nbsp;point-of-sale&nbsp;malware&nbsp;for&nbsp;target</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">own&nbsp;Ransomware&nbsp;as&nbsp;a&nbsp;Service&nbsp;(RaaS),&nbsp;Darkside.&nbsp;[FIN7](https:/</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ing&nbsp;efforts.&nbsp;Since&nbsp;2020,&nbsp;[FIN7](https://attack.mitre.org/gro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">/attack.mitre.org/groups/G0046)&nbsp;may&nbsp;be&nbsp;linked&nbsp;to&nbsp;the&nbsp;[Carban</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ups/G0046)&nbsp;shifted&nbsp;operations&nbsp;to&nbsp;a&nbsp;big&nbsp;game&nbsp;hunting&nbsp;(BGH)&nbsp;ap</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ak](https://attack.mitre.org/groups/G0008)&nbsp;Group,&nbsp;but&nbsp;there&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">proach&nbsp;including&nbsp;use&nbsp;of&nbsp;[REvil](https://attack.mitre.org/sof</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">appears&nbsp;to&nbsp;be&nbsp;several&nbsp;groups&nbsp;using&nbsp;[Carbanak](https://attack</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tware/S0496)&nbsp;ransomware&nbsp;and&nbsp;their&nbsp;own&nbsp;Ransomware&nbsp;as&nbsp;a&nbsp;Servic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.mitre.org/software/S0030)&nbsp;malware&nbsp;and&nbsp;are&nbsp;therefore&nbsp;tracked</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;(RaaS),&nbsp;Darkside.&nbsp;FIN7&nbsp;may&nbsp;be&nbsp;linked&nbsp;to&nbsp;the&nbsp;[Carbanak](htt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;separately.(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;March&nbsp;2017)(Citation:&nbsp;Fi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps://attack.mitre.org/groups/G0008)&nbsp;Group,&nbsp;but&nbsp;there&nbsp;appears</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">reEye&nbsp;FIN7&nbsp;April&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;CARBANAK&nbsp;June&nbsp;2017)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;to&nbsp;be&nbsp;several&nbsp;groups&nbsp;using&nbsp;[Carbanak](https://attack.mitre.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;Aug&nbsp;2018)(Citation:&nbsp;CrowdStrike&nbsp;Carb</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">org/software/S0030)&nbsp;malware&nbsp;and&nbsp;are&nbsp;therefore&nbsp;tracked&nbsp;separa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on&nbsp;Spider&nbsp;August&nbsp;2021)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tely.(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;March&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;F</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">IN7&nbsp;April&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;CARBANAK&nbsp;June&nbsp;2017)(Citati</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">on:&nbsp;FireEye&nbsp;FIN7&nbsp;Aug&nbsp;2018)(Citation:&nbsp;CrowdStrike&nbsp;Carbon&nbsp;Spid</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">er&nbsp;August&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;FIN7&nbsp;Apr&nbsp;2022)</span></td></tr>\n        </tbody>\n    </table>"
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to46__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to46__0\"><a href=\"#difflib_chg_to46__top\">t</a></td><td class=\"diff_header\" id=\"from46_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to46__top\">t</a></td><td class=\"diff_header\" id=\"to46_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013&nbsp;pr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013.&nbsp;[</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">imarily&nbsp;targeting&nbsp;the&nbsp;U.S.&nbsp;retail,&nbsp;restaurant,&nbsp;and&nbsp;hospitali</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">FIN7](https://attack.mitre.org/groups/G0046)&nbsp;has&nbsp;primarily&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ty&nbsp;sectors,&nbsp;often&nbsp;using&nbsp;point-of-sale&nbsp;malware.&nbsp;A&nbsp;portion&nbsp;of&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">argeted&nbsp;the&nbsp;retail,&nbsp;restaurant,&nbsp;hospitality,&nbsp;software,&nbsp;consu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;was&nbsp;run&nbsp;out&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lting,&nbsp;financial&nbsp;services,&nbsp;medical&nbsp;equipment,&nbsp;cloud&nbsp;services</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;front&nbsp;company&nbsp;called&nbsp;Combi&nbsp;Security.&nbsp;Since&nbsp;2020&nbsp;[FIN7](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">,&nbsp;media,&nbsp;food&nbsp;and&nbsp;beverage,&nbsp;transportation,&nbsp;and&nbsp;utilities&nbsp;in</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/groups/G0046)&nbsp;shifted&nbsp;operations&nbsp;to&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dustries&nbsp;in&nbsp;the&nbsp;U.S.&nbsp;A&nbsp;portion&nbsp;of&nbsp;[FIN7](https://attack.mitr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;big&nbsp;game&nbsp;hunting&nbsp;(BGH)&nbsp;approach&nbsp;including&nbsp;use&nbsp;of&nbsp;[REvil](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e.org/groups/G0046)&nbsp;was&nbsp;run&nbsp;out&nbsp;of&nbsp;a&nbsp;front&nbsp;company&nbsp;called&nbsp;Co</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/software/S0496)&nbsp;ransomware&nbsp;and&nbsp;their&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mbi&nbsp;Security&nbsp;and&nbsp;often&nbsp;used&nbsp;point-of-sale&nbsp;malware&nbsp;for&nbsp;target</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">own&nbsp;Ransomware&nbsp;as&nbsp;a&nbsp;Service&nbsp;(RaaS),&nbsp;Darkside.&nbsp;[FIN7](https:/</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ing&nbsp;efforts.&nbsp;Since&nbsp;2020,&nbsp;[FIN7](https://attack.mitre.org/gro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">/attack.mitre.org/groups/G0046)&nbsp;may&nbsp;be&nbsp;linked&nbsp;to&nbsp;the&nbsp;[Carban</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ups/G0046)&nbsp;shifted&nbsp;operations&nbsp;to&nbsp;a&nbsp;big&nbsp;game&nbsp;hunting&nbsp;(BGH)&nbsp;ap</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ak](https://attack.mitre.org/groups/G0008)&nbsp;Group,&nbsp;but&nbsp;there&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">proach&nbsp;including&nbsp;use&nbsp;of&nbsp;[REvil](https://attack.mitre.org/sof</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">appears&nbsp;to&nbsp;be&nbsp;several&nbsp;groups&nbsp;using&nbsp;[Carbanak](https://attack</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tware/S0496)&nbsp;ransomware&nbsp;and&nbsp;their&nbsp;own&nbsp;Ransomware&nbsp;as&nbsp;a&nbsp;Servic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.mitre.org/software/S0030)&nbsp;malware&nbsp;and&nbsp;are&nbsp;therefore&nbsp;tracked</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;(RaaS),&nbsp;Darkside.&nbsp;FIN7&nbsp;may&nbsp;be&nbsp;linked&nbsp;to&nbsp;the&nbsp;[Carbanak](htt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;separately.(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;March&nbsp;2017)(Citation:&nbsp;Fi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps://attack.mitre.org/groups/G0008)&nbsp;Group,&nbsp;but&nbsp;there&nbsp;appears</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">reEye&nbsp;FIN7&nbsp;April&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;CARBANAK&nbsp;June&nbsp;2017)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;to&nbsp;be&nbsp;several&nbsp;groups&nbsp;using&nbsp;[Carbanak](https://attack.mitre.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;Aug&nbsp;2018)(Citation:&nbsp;CrowdStrike&nbsp;Carb</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">org/software/S0030)&nbsp;malware&nbsp;and&nbsp;are&nbsp;therefore&nbsp;tracked&nbsp;separa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on&nbsp;Spider&nbsp;August&nbsp;2021)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tely.(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;March&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;F</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">IN7&nbsp;April&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;CARBANAK&nbsp;June&nbsp;2017)(Citati</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">on:&nbsp;FireEye&nbsp;FIN7&nbsp;Aug&nbsp;2018)(Citation:&nbsp;CrowdStrike&nbsp;Carbon&nbsp;Spid</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">er&nbsp;August&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;FIN7&nbsp;Apr&nbsp;2022)</span></td></tr>\n        </tbody>\n    </table>"
                 },
                 {
                     "type": "intrusion-set",
@@ -18516,7 +18516,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Jennifer Kim Roman, CrowdStrike\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-03 21:39:36.666000+00:00\", \"old_value\": \"2022-09-15 19:49:18.799000+00:00\"}, \"root['description']\": {\"new_value\": \"[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)\", \"old_value\": \"[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}}",
                     "previous_version": "2.1",
                     "version_change": "2.1 \u2192 3.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to45__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to45__0\"><a href=\"#difflib_chg_to45__top\">t</a></td><td class=\"diff_header\" id=\"from45_1\">1</td><td nowrap=\"nowrap\">[Indrik&nbsp;Spider](https://attack.mitre.org/groups/G0119)&nbsp;is&nbsp;a&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to45__top\">t</a></td><td class=\"diff_header\" id=\"to45_1\">1</td><td nowrap=\"nowrap\">[Indrik&nbsp;Spider](https://attack.mitre.org/groups/G0119)&nbsp;is&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;cybercriminal&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;cybercriminal&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">at&nbsp;least&nbsp;2014.&nbsp;[Indrik&nbsp;Spider](https://attack.mitre.org/grou</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">at&nbsp;least&nbsp;2014.&nbsp;[Indrik&nbsp;Spider](https://attack.mitre.org/grou</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ps/G0119)&nbsp;initially&nbsp;started&nbsp;with&nbsp;the&nbsp;[Dridex](https://attack</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ps/G0119)&nbsp;initially&nbsp;started&nbsp;with&nbsp;the&nbsp;[Dridex](https://attack</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.mitre.org/software/S0384)&nbsp;banking&nbsp;Trojan,&nbsp;and&nbsp;then&nbsp;by&nbsp;2017&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.mitre.org/software/S0384)&nbsp;banking&nbsp;Trojan,&nbsp;and&nbsp;then&nbsp;by&nbsp;2017&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">they&nbsp;began&nbsp;running&nbsp;ransomware&nbsp;operations&nbsp;using&nbsp;[BitPaymer](h</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">they&nbsp;began&nbsp;running&nbsp;ransomware&nbsp;operations&nbsp;using&nbsp;[BitPaymer](h</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/software/S0570),&nbsp;[WastedLocker](http</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/software/S0570),&nbsp;[WastedLocker](http</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s://attack.mitre.org/software/S0612),&nbsp;and&nbsp;Hades&nbsp;ransomware.(</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s://attack.mitre.org/software/S0612),&nbsp;and&nbsp;Hades&nbsp;ransomware<span class=\"diff_add\">.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Citation:&nbsp;Crowdstrike&nbsp;Indrik&nbsp;November&nbsp;2018)(Citation:&nbsp;Crowds</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Following&nbsp;U.S.&nbsp;sanctions&nbsp;and&nbsp;an&nbsp;indictment&nbsp;in&nbsp;2019,&nbsp;[Indrik&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trike&nbsp;EvilCorp&nbsp;March&nbsp;2021)(Citation:&nbsp;Treasury&nbsp;EvilCorp&nbsp;Dec&nbsp;2</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Spider](https://attack.mitre.org/groups/G0119)&nbsp;changed&nbsp;their</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">019)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;tactics&nbsp;and&nbsp;diversified&nbsp;their&nbsp;toolset</span>.(Citation:&nbsp;Crowdstrik</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;Indrik&nbsp;November&nbsp;2018)(Citation:&nbsp;Crowdstrike&nbsp;EvilCorp&nbsp;March</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;2021)(Citation:&nbsp;Treasury&nbsp;EvilCorp&nbsp;Dec&nbsp;2019)</td></tr>\n        </tbody>\n    </table>"
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to44__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to44__0\"><a href=\"#difflib_chg_to44__top\">t</a></td><td class=\"diff_header\" id=\"from44_1\">1</td><td nowrap=\"nowrap\">[Indrik&nbsp;Spider](https://attack.mitre.org/groups/G0119)&nbsp;is&nbsp;a&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to44__top\">t</a></td><td class=\"diff_header\" id=\"to44_1\">1</td><td nowrap=\"nowrap\">[Indrik&nbsp;Spider](https://attack.mitre.org/groups/G0119)&nbsp;is&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;cybercriminal&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;cybercriminal&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">at&nbsp;least&nbsp;2014.&nbsp;[Indrik&nbsp;Spider](https://attack.mitre.org/grou</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">at&nbsp;least&nbsp;2014.&nbsp;[Indrik&nbsp;Spider](https://attack.mitre.org/grou</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ps/G0119)&nbsp;initially&nbsp;started&nbsp;with&nbsp;the&nbsp;[Dridex](https://attack</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ps/G0119)&nbsp;initially&nbsp;started&nbsp;with&nbsp;the&nbsp;[Dridex](https://attack</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.mitre.org/software/S0384)&nbsp;banking&nbsp;Trojan,&nbsp;and&nbsp;then&nbsp;by&nbsp;2017&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">.mitre.org/software/S0384)&nbsp;banking&nbsp;Trojan,&nbsp;and&nbsp;then&nbsp;by&nbsp;2017&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">they&nbsp;began&nbsp;running&nbsp;ransomware&nbsp;operations&nbsp;using&nbsp;[BitPaymer](h</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">they&nbsp;began&nbsp;running&nbsp;ransomware&nbsp;operations&nbsp;using&nbsp;[BitPaymer](h</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/software/S0570),&nbsp;[WastedLocker](http</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttps://attack.mitre.org/software/S0570),&nbsp;[WastedLocker](http</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s://attack.mitre.org/software/S0612),&nbsp;and&nbsp;Hades&nbsp;ransomware.(</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s://attack.mitre.org/software/S0612),&nbsp;and&nbsp;Hades&nbsp;ransomware<span class=\"diff_add\">.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Citation:&nbsp;Crowdstrike&nbsp;Indrik&nbsp;November&nbsp;2018)(Citation:&nbsp;Crowds</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Following&nbsp;U.S.&nbsp;sanctions&nbsp;and&nbsp;an&nbsp;indictment&nbsp;in&nbsp;2019,&nbsp;[Indrik&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trike&nbsp;EvilCorp&nbsp;March&nbsp;2021)(Citation:&nbsp;Treasury&nbsp;EvilCorp&nbsp;Dec&nbsp;2</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Spider](https://attack.mitre.org/groups/G0119)&nbsp;changed&nbsp;their</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">019)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;tactics&nbsp;and&nbsp;diversified&nbsp;their&nbsp;toolset</span>.(Citation:&nbsp;Crowdstrik</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;Indrik&nbsp;November&nbsp;2018)(Citation:&nbsp;Crowdstrike&nbsp;EvilCorp&nbsp;March</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;2021)(Citation:&nbsp;Treasury&nbsp;EvilCorp&nbsp;Dec&nbsp;2019)</td></tr>\n        </tbody>\n    </table>"
                 },
                 {
                     "type": "intrusion-set",
@@ -18658,7 +18658,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-08-02 19:48:08.774000+00:00\", \"old_value\": \"2023-03-22 05:41:28.428000+00:00\"}, \"root['description']\": {\"new_value\": \"[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB).  They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)\", \"old_value\": \"[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)\"}, \"root['x_mitre_version']\": {\"new_value\": \"4.0\", \"old_value\": \"3.1\"}}, \"iterable_item_added\": {\"root['external_references'][14]\": {\"source_name\": \"Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023\", \"description\": \"FBI et al. (2023, May 9). Hunting Russian Intelligence \\u201cSnake\\u201d Malware. Retrieved June 8, 2023.\", \"url\": \"https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf\"}}}",
                     "previous_version": "3.1",
                     "version_change": "3.1 \u2192 4.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to46__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to46__0\"><a href=\"#difflib_chg_to46__top\">t</a></td><td class=\"diff_header\" id=\"from46_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;a&nbsp;Russian-</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to46__top\">t</a></td><td class=\"diff_header\" id=\"to46_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;a&nbsp;cyber&nbsp;es</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">based&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;infected&nbsp;victims&nbsp;in&nbsp;over&nbsp;45&nbsp;coun</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">pionage&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;attributed&nbsp;to&nbsp;Russia's&nbsp;Fe</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tries,&nbsp;spanning&nbsp;a&nbsp;range&nbsp;of&nbsp;industries&nbsp;including&nbsp;government,&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">deral&nbsp;Security&nbsp;Service&nbsp;(FSB).&nbsp;&nbsp;They&nbsp;have&nbsp;compromised&nbsp;victims</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">embassies,&nbsp;military,&nbsp;education,&nbsp;research&nbsp;and&nbsp;pharmaceutical&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;in&nbsp;over&nbsp;50&nbsp;countries&nbsp;since&nbsp;at&nbsp;least&nbsp;2004,&nbsp;spanning&nbsp;a&nbsp;range&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">companies&nbsp;since&nbsp;2004.&nbsp;Heightened&nbsp;activity&nbsp;was&nbsp;seen&nbsp;in&nbsp;mid-20</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">of&nbsp;industries&nbsp;including&nbsp;government,&nbsp;embassies,&nbsp;military,&nbsp;edu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">15.&nbsp;[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;known&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cation,&nbsp;research&nbsp;and&nbsp;pharmaceutical&nbsp;companies.&nbsp;[Turla](https</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">for&nbsp;conducting&nbsp;watering&nbsp;hole&nbsp;and&nbsp;spearphishing&nbsp;campaigns&nbsp;and</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;known&nbsp;for&nbsp;conducting&nbsp;wa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;leveraging&nbsp;in-house&nbsp;tools&nbsp;and&nbsp;malware.&nbsp;[Turla](https://atta</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tering&nbsp;hole&nbsp;and&nbsp;spearphishing&nbsp;campaigns,&nbsp;and&nbsp;leveraging&nbsp;in-h</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ck.mitre.org/groups/G0010)\u2019s&nbsp;espionage&nbsp;platform&nbsp;is&nbsp;mainly&nbsp;us</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ouse&nbsp;tools&nbsp;and&nbsp;malware,&nbsp;such&nbsp;as&nbsp;[Uroburos](https://attack.mi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ed&nbsp;against&nbsp;Windows&nbsp;machines,&nbsp;but&nbsp;has&nbsp;also&nbsp;been&nbsp;seen&nbsp;used&nbsp;aga</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tre.org/software/S0022).(Citation:&nbsp;Kaspersky&nbsp;Turla)(Citation</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">inst&nbsp;macOS&nbsp;and&nbsp;Linux&nbsp;machines.(Citation:&nbsp;Kaspersky&nbsp;Turla)(Ci</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">:&nbsp;ESET&nbsp;Gazer&nbsp;Aug&nbsp;2017)(Citation:&nbsp;CrowdStrike&nbsp;VENOMOUS&nbsp;BEAR)(</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tation:&nbsp;ESET&nbsp;Gazer&nbsp;Aug&nbsp;2017)(Citation:&nbsp;CrowdStrike&nbsp;VENOMOUS&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Citation:&nbsp;ESET&nbsp;Turla&nbsp;Mosquito&nbsp;Jan&nbsp;2018)(Citation:&nbsp;Joint&nbsp;Cybe</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">BEAR)(Citation:&nbsp;ESET&nbsp;Turla&nbsp;Mosquito&nbsp;Jan&nbsp;2018)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rsecurity&nbsp;Advisory&nbsp;AA23-129A&nbsp;Snake&nbsp;Malware&nbsp;May&nbsp;2023)</span></td></tr>\n        </tbody>\n    </table>"
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to43__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to43__0\"><a href=\"#difflib_chg_to43__top\">t</a></td><td class=\"diff_header\" id=\"from43_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;a&nbsp;Russian-</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to43__top\">t</a></td><td class=\"diff_header\" id=\"to43_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;a&nbsp;cyber&nbsp;es</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">based&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;infected&nbsp;victims&nbsp;in&nbsp;over&nbsp;45&nbsp;coun</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">pionage&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;attributed&nbsp;to&nbsp;Russia's&nbsp;Fe</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tries,&nbsp;spanning&nbsp;a&nbsp;range&nbsp;of&nbsp;industries&nbsp;including&nbsp;government,&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">deral&nbsp;Security&nbsp;Service&nbsp;(FSB).&nbsp;&nbsp;They&nbsp;have&nbsp;compromised&nbsp;victims</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">embassies,&nbsp;military,&nbsp;education,&nbsp;research&nbsp;and&nbsp;pharmaceutical&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;in&nbsp;over&nbsp;50&nbsp;countries&nbsp;since&nbsp;at&nbsp;least&nbsp;2004,&nbsp;spanning&nbsp;a&nbsp;range&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">companies&nbsp;since&nbsp;2004.&nbsp;Heightened&nbsp;activity&nbsp;was&nbsp;seen&nbsp;in&nbsp;mid-20</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">of&nbsp;industries&nbsp;including&nbsp;government,&nbsp;embassies,&nbsp;military,&nbsp;edu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">15.&nbsp;[Turla](https://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;known&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cation,&nbsp;research&nbsp;and&nbsp;pharmaceutical&nbsp;companies.&nbsp;[Turla](https</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">for&nbsp;conducting&nbsp;watering&nbsp;hole&nbsp;and&nbsp;spearphishing&nbsp;campaigns&nbsp;and</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">://attack.mitre.org/groups/G0010)&nbsp;is&nbsp;known&nbsp;for&nbsp;conducting&nbsp;wa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;leveraging&nbsp;in-house&nbsp;tools&nbsp;and&nbsp;malware.&nbsp;[Turla](https://atta</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tering&nbsp;hole&nbsp;and&nbsp;spearphishing&nbsp;campaigns,&nbsp;and&nbsp;leveraging&nbsp;in-h</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ck.mitre.org/groups/G0010)\u2019s&nbsp;espionage&nbsp;platform&nbsp;is&nbsp;mainly&nbsp;us</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ouse&nbsp;tools&nbsp;and&nbsp;malware,&nbsp;such&nbsp;as&nbsp;[Uroburos](https://attack.mi</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ed&nbsp;against&nbsp;Windows&nbsp;machines,&nbsp;but&nbsp;has&nbsp;also&nbsp;been&nbsp;seen&nbsp;used&nbsp;aga</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tre.org/software/S0022).(Citation:&nbsp;Kaspersky&nbsp;Turla)(Citation</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">inst&nbsp;macOS&nbsp;and&nbsp;Linux&nbsp;machines.(Citation:&nbsp;Kaspersky&nbsp;Turla)(Ci</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">:&nbsp;ESET&nbsp;Gazer&nbsp;Aug&nbsp;2017)(Citation:&nbsp;CrowdStrike&nbsp;VENOMOUS&nbsp;BEAR)(</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tation:&nbsp;ESET&nbsp;Gazer&nbsp;Aug&nbsp;2017)(Citation:&nbsp;CrowdStrike&nbsp;VENOMOUS&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">Citation:&nbsp;ESET&nbsp;Turla&nbsp;Mosquito&nbsp;Jan&nbsp;2018)(Citation:&nbsp;Joint&nbsp;Cybe</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">BEAR)(Citation:&nbsp;ESET&nbsp;Turla&nbsp;Mosquito&nbsp;Jan&nbsp;2018)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">rsecurity&nbsp;Advisory&nbsp;AA23-129A&nbsp;Snake&nbsp;Malware&nbsp;May&nbsp;2023)</span></td></tr>\n        </tbody>\n    </table>"
                 },
                 {
                     "type": "intrusion-set",
@@ -18777,7 +18777,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-12 14:35:52.920000+00:00\", \"old_value\": \"2023-03-22 05:44:27.289000+00:00\"}, \"root['description']\": {\"new_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\", \"old_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['aliases'][4]\": \"FIN12\", \"root['aliases'][5]\": \"GOLD BLACKBURN\", \"root['aliases'][6]\": \"ITG23\", \"root['aliases'][7]\": \"Periwinkle Tempest\", \"root['external_references'][4]\": {\"source_name\": \"ITG23\", \"description\": \"(Citation: IBM X-Force ITG23 Oct 2021)\"}, \"root['external_references'][5]\": {\"source_name\": \"FIN12\", \"description\": \"(Citation: Mandiant FIN12 Oct 2021)\"}, \"root['external_references'][6]\": {\"source_name\": \"GOLD BLACKBURN\", \"description\": \"(Citation: Secureworks Gold Blackburn Mar 2022)\"}, \"root['external_references'][7]\": {\"source_name\": \"Periwinkle Tempest\", \"description\": \"(Citation: Secureworks Gold Blackburn Mar 2022)\"}, \"root['external_references'][14]\": {\"source_name\": \"Secureworks Gold Blackburn Mar 2022\", \"description\": \"Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.\", \"url\": \"https://www.secureworks.com/research/threat-profiles/gold-blackburn\"}, \"root['external_references'][15]\": {\"source_name\": \"Mandiant FIN12 Oct 2021\", \"description\": \"Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.\", \"url\": \"https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf\"}, \"root['external_references'][16]\": {\"source_name\": \"IBM X-Force ITG23 Oct 2021\", \"description\": \"Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.\", \"url\": \"https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\"}}}",
                     "previous_version": "2.1",
                     "version_change": "2.1 \u2192 3.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to43__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to43__0\"><a href=\"#difflib_chg_to43__top\">t</a></td><td class=\"diff_header\" id=\"from43_1\">1</td><td nowrap=\"nowrap\">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to43__top\">t</a></td><td class=\"diff_header\" id=\"to43_1\">1</td><td nowrap=\"nowrap\">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;possesses&nbsp;a&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;possesses&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">diverse&nbsp;ar<span class=\"diff_chg\">senal</span>&nbsp;of&nbsp;tools&nbsp;and&nbsp;has&nbsp;conducted&nbsp;ransomware&nbsp;campai</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">diverse&nbsp;ar<span class=\"diff_chg\">esenal</span>&nbsp;of&nbsp;tools&nbsp;and&nbsp;has&nbsp;conducted&nbsp;ransomware&nbsp;campa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">gns&nbsp;against&nbsp;a&nbsp;variety&nbsp;of&nbsp;organizations,&nbsp;ranging&nbsp;from&nbsp;major&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">igns&nbsp;against&nbsp;a&nbsp;variety&nbsp;of&nbsp;organizations,&nbsp;ranging&nbsp;from&nbsp;major&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">orporations&nbsp;to&nbsp;hospitals.(Citation:&nbsp;CrowdStrike&nbsp;Ryuk&nbsp;January</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">corporations&nbsp;to&nbsp;hospitals.(Citation:&nbsp;CrowdStrike&nbsp;Ryuk&nbsp;Januar</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;2019)(Citation:&nbsp;DHS/CISA&nbsp;Ransomware&nbsp;Targeting&nbsp;Healthcare&nbsp;Oc</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;2019)(Citation:&nbsp;DHS/CISA&nbsp;Ransomware&nbsp;Targeting&nbsp;Healthcare&nbsp;O</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tober&nbsp;2020)(Citation:&nbsp;CrowdStrike&nbsp;Wizard&nbsp;Spider&nbsp;October&nbsp;2020</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ctober&nbsp;2020)(Citation:&nbsp;CrowdStrike&nbsp;Wizard&nbsp;Spider&nbsp;October&nbsp;202</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">0)</td></tr>\n        </tbody>\n    </table>"
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to45__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to45__0\"><a href=\"#difflib_chg_to45__top\">t</a></td><td class=\"diff_header\" id=\"from45_1\">1</td><td nowrap=\"nowrap\">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to45__top\">t</a></td><td class=\"diff_header\" id=\"to45_1\">1</td><td nowrap=\"nowrap\">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;possesses&nbsp;a&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;possesses&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">diverse&nbsp;ar<span class=\"diff_chg\">senal</span>&nbsp;of&nbsp;tools&nbsp;and&nbsp;has&nbsp;conducted&nbsp;ransomware&nbsp;campai</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">diverse&nbsp;ar<span class=\"diff_chg\">esenal</span>&nbsp;of&nbsp;tools&nbsp;and&nbsp;has&nbsp;conducted&nbsp;ransomware&nbsp;campa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">gns&nbsp;against&nbsp;a&nbsp;variety&nbsp;of&nbsp;organizations,&nbsp;ranging&nbsp;from&nbsp;major&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">igns&nbsp;against&nbsp;a&nbsp;variety&nbsp;of&nbsp;organizations,&nbsp;ranging&nbsp;from&nbsp;major&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">orporations&nbsp;to&nbsp;hospitals.(Citation:&nbsp;CrowdStrike&nbsp;Ryuk&nbsp;January</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">corporations&nbsp;to&nbsp;hospitals.(Citation:&nbsp;CrowdStrike&nbsp;Ryuk&nbsp;Januar</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;2019)(Citation:&nbsp;DHS/CISA&nbsp;Ransomware&nbsp;Targeting&nbsp;Healthcare&nbsp;Oc</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;2019)(Citation:&nbsp;DHS/CISA&nbsp;Ransomware&nbsp;Targeting&nbsp;Healthcare&nbsp;O</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tober&nbsp;2020)(Citation:&nbsp;CrowdStrike&nbsp;Wizard&nbsp;Spider&nbsp;October&nbsp;2020</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ctober&nbsp;2020)(Citation:&nbsp;CrowdStrike&nbsp;Wizard&nbsp;Spider&nbsp;October&nbsp;202</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">0)</td></tr>\n        </tbody>\n    </table>"
                 }
             ],
             "minor_version_changes": [
@@ -21211,7 +21211,7 @@
                     "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Shankar Raman, Gen Digital and Abhinand, Amrita University\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-28 15:38:41.106000+00:00\", \"old_value\": \"2023-03-20 18:54:36.502000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\\n\\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\\n\\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \\n\\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event \", \"old_value\": \"Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\\n\\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,7 @@\\n Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\\n \\n-Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.\\n+Adversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\\n+\\n+* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \\n+\\n+* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event \"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}",
                     "previous_version": "1.1",
                     "version_change": "1.1 \u2192 1.2",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to52__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to52__0\"><a href=\"#difflib_chg_to52__top\">t</a></td><td class=\"diff_header\" id=\"from52_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;Android&nbsp;device&nbsp;administration&nbsp;API&nbsp;</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to52__top\">t</a></td><td class=\"diff_header\" id=\"to52_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;Android&nbsp;device&nbsp;administration&nbsp;API&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">to&nbsp;prevent&nbsp;the&nbsp;user&nbsp;from&nbsp;uninstalling&nbsp;a&nbsp;target&nbsp;application.&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">to&nbsp;prevent&nbsp;the&nbsp;user&nbsp;from&nbsp;uninstalling&nbsp;a&nbsp;target&nbsp;application.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">In&nbsp;earlier&nbsp;versions&nbsp;of&nbsp;Android,&nbsp;device&nbsp;administrator&nbsp;applica</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">In&nbsp;earlier&nbsp;versions&nbsp;of&nbsp;Android,&nbsp;device&nbsp;administrator&nbsp;applica</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tions&nbsp;needed&nbsp;their&nbsp;administration&nbsp;capabilities&nbsp;explicitly&nbsp;de</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tions&nbsp;needed&nbsp;their&nbsp;administration&nbsp;capabilities&nbsp;explicitly&nbsp;de</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">activated&nbsp;by&nbsp;the&nbsp;user&nbsp;before&nbsp;the&nbsp;application&nbsp;could&nbsp;be&nbsp;uninst</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">activated&nbsp;by&nbsp;the&nbsp;user&nbsp;before&nbsp;the&nbsp;application&nbsp;could&nbsp;be&nbsp;uninst</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">alled.&nbsp;This&nbsp;was&nbsp;later&nbsp;updated&nbsp;so&nbsp;the&nbsp;user&nbsp;could&nbsp;deactivate&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">alled.&nbsp;This&nbsp;was&nbsp;later&nbsp;updated&nbsp;so&nbsp;the&nbsp;user&nbsp;could&nbsp;deactivate&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nd&nbsp;uninstall&nbsp;the&nbsp;administrator&nbsp;application&nbsp;in&nbsp;one&nbsp;step.&nbsp;&nbsp;Adv</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nd&nbsp;uninstall&nbsp;the&nbsp;administrator&nbsp;application&nbsp;in&nbsp;one&nbsp;step.&nbsp;&nbsp;Adv</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ersaries&nbsp;may&nbsp;also&nbsp;abuse&nbsp;the&nbsp;device&nbsp;accessibility&nbsp;APIs&nbsp;to&nbsp;pre</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ersaries&nbsp;may&nbsp;also&nbsp;abuse&nbsp;the&nbsp;device&nbsp;accessibility&nbsp;APIs&nbsp;to&nbsp;pre</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">vent&nbsp;removal.&nbsp;This&nbsp;set&nbsp;of&nbsp;APIs&nbsp;allows&nbsp;the&nbsp;application&nbsp;to&nbsp;per</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">vent&nbsp;removal.&nbsp;This&nbsp;set&nbsp;of&nbsp;APIs&nbsp;allows&nbsp;the&nbsp;application&nbsp;to&nbsp;per</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">form&nbsp;certain&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;user&nbsp;and&nbsp;programmatica</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">form&nbsp;certain&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;user&nbsp;and&nbsp;programmatica</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lly&nbsp;determine&nbsp;what&nbsp;is&nbsp;being&nbsp;shown&nbsp;on&nbsp;the&nbsp;screen.&nbsp;The&nbsp;malicio</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lly&nbsp;determine&nbsp;what&nbsp;is&nbsp;being&nbsp;shown&nbsp;on&nbsp;the&nbsp;screen.&nbsp;The&nbsp;malicio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">us&nbsp;application&nbsp;could&nbsp;monitor&nbsp;the&nbsp;device&nbsp;screen&nbsp;for&nbsp;certain&nbsp;m</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">us&nbsp;application&nbsp;could&nbsp;monitor&nbsp;the&nbsp;device&nbsp;screen&nbsp;for&nbsp;certain&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">odals&nbsp;(e.g.,&nbsp;the&nbsp;confirmation&nbsp;modal&nbsp;to&nbsp;uninstall&nbsp;an&nbsp;applicat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">odals&nbsp;(e.g.,&nbsp;the&nbsp;confirmation&nbsp;modal&nbsp;to&nbsp;uninstall&nbsp;an&nbsp;applicat</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ion)&nbsp;and&nbsp;inject&nbsp;screen&nbsp;input&nbsp;or&nbsp;a&nbsp;back&nbsp;button&nbsp;tap&nbsp;to&nbsp;close&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ion)&nbsp;and&nbsp;inject&nbsp;screen&nbsp;input&nbsp;or&nbsp;a&nbsp;back&nbsp;button&nbsp;tap&nbsp;to&nbsp;close&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">he&nbsp;modal.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">he&nbsp;modal.&nbsp;For&nbsp;example,&nbsp;Android's&nbsp;`performGlobalAction(int)`&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">API&nbsp;could&nbsp;be&nbsp;utilized&nbsp;to&nbsp;prevent&nbsp;the&nbsp;user&nbsp;from&nbsp;removing&nbsp;the&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">malicious&nbsp;application&nbsp;from&nbsp;the&nbsp;device&nbsp;after&nbsp;installation.&nbsp;If</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;the&nbsp;user&nbsp;wants&nbsp;to&nbsp;uninstall&nbsp;the&nbsp;malicious&nbsp;application,&nbsp;two&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cases&nbsp;may&nbsp;occur,&nbsp;both&nbsp;preventing&nbsp;the&nbsp;user&nbsp;from&nbsp;removing&nbsp;the&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">application.&nbsp;&nbsp;*&nbsp;Case&nbsp;1:&nbsp;If&nbsp;the&nbsp;integer&nbsp;argument&nbsp;passed&nbsp;to&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;API&nbsp;call&nbsp;is&nbsp;`2`&nbsp;or&nbsp;`GLOBAL_ACTION_HOME`,&nbsp;the&nbsp;malicious&nbsp;app</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lication&nbsp;may&nbsp;direct&nbsp;the&nbsp;user&nbsp;to&nbsp;the&nbsp;home&nbsp;screen&nbsp;from&nbsp;setting</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;screen&nbsp;&nbsp;&nbsp;*&nbsp;Case&nbsp;2:&nbsp;If&nbsp;the&nbsp;integer&nbsp;argument&nbsp;passed&nbsp;to&nbsp;the&nbsp;A</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">PI&nbsp;call&nbsp;is&nbsp;`1`&nbsp;or&nbsp;`GLOBAL_ACTION_BACK`,&nbsp;the&nbsp;malicious&nbsp;applic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ation&nbsp;may&nbsp;emulate&nbsp;the&nbsp;back&nbsp;press&nbsp;event&nbsp;</span></td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to49__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to49__0\"><a href=\"#difflib_chg_to49__top\">t</a></td><td class=\"diff_header\" id=\"from49_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;Android&nbsp;device&nbsp;administration&nbsp;API&nbsp;</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to49__top\">t</a></td><td class=\"diff_header\" id=\"to49_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">Adversaries&nbsp;may&nbsp;abuse&nbsp;the&nbsp;Android&nbsp;device&nbsp;administration&nbsp;API&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">to&nbsp;prevent&nbsp;the&nbsp;user&nbsp;from&nbsp;uninstalling&nbsp;a&nbsp;target&nbsp;application.&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">to&nbsp;prevent&nbsp;the&nbsp;user&nbsp;from&nbsp;uninstalling&nbsp;a&nbsp;target&nbsp;application.&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">In&nbsp;earlier&nbsp;versions&nbsp;of&nbsp;Android,&nbsp;device&nbsp;administrator&nbsp;applica</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">In&nbsp;earlier&nbsp;versions&nbsp;of&nbsp;Android,&nbsp;device&nbsp;administrator&nbsp;applica</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tions&nbsp;needed&nbsp;their&nbsp;administration&nbsp;capabilities&nbsp;explicitly&nbsp;de</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tions&nbsp;needed&nbsp;their&nbsp;administration&nbsp;capabilities&nbsp;explicitly&nbsp;de</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">activated&nbsp;by&nbsp;the&nbsp;user&nbsp;before&nbsp;the&nbsp;application&nbsp;could&nbsp;be&nbsp;uninst</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">activated&nbsp;by&nbsp;the&nbsp;user&nbsp;before&nbsp;the&nbsp;application&nbsp;could&nbsp;be&nbsp;uninst</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">alled.&nbsp;This&nbsp;was&nbsp;later&nbsp;updated&nbsp;so&nbsp;the&nbsp;user&nbsp;could&nbsp;deactivate&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">alled.&nbsp;This&nbsp;was&nbsp;later&nbsp;updated&nbsp;so&nbsp;the&nbsp;user&nbsp;could&nbsp;deactivate&nbsp;a</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">nd&nbsp;uninstall&nbsp;the&nbsp;administrator&nbsp;application&nbsp;in&nbsp;one&nbsp;step.&nbsp;&nbsp;Adv</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">nd&nbsp;uninstall&nbsp;the&nbsp;administrator&nbsp;application&nbsp;in&nbsp;one&nbsp;step.&nbsp;&nbsp;Adv</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ersaries&nbsp;may&nbsp;also&nbsp;abuse&nbsp;the&nbsp;device&nbsp;accessibility&nbsp;APIs&nbsp;to&nbsp;pre</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ersaries&nbsp;may&nbsp;also&nbsp;abuse&nbsp;the&nbsp;device&nbsp;accessibility&nbsp;APIs&nbsp;to&nbsp;pre</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">vent&nbsp;removal.&nbsp;This&nbsp;set&nbsp;of&nbsp;APIs&nbsp;allows&nbsp;the&nbsp;application&nbsp;to&nbsp;per</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">vent&nbsp;removal.&nbsp;This&nbsp;set&nbsp;of&nbsp;APIs&nbsp;allows&nbsp;the&nbsp;application&nbsp;to&nbsp;per</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">form&nbsp;certain&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;user&nbsp;and&nbsp;programmatica</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">form&nbsp;certain&nbsp;actions&nbsp;on&nbsp;behalf&nbsp;of&nbsp;the&nbsp;user&nbsp;and&nbsp;programmatica</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">lly&nbsp;determine&nbsp;what&nbsp;is&nbsp;being&nbsp;shown&nbsp;on&nbsp;the&nbsp;screen.&nbsp;The&nbsp;malicio</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lly&nbsp;determine&nbsp;what&nbsp;is&nbsp;being&nbsp;shown&nbsp;on&nbsp;the&nbsp;screen.&nbsp;The&nbsp;malicio</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">us&nbsp;application&nbsp;could&nbsp;monitor&nbsp;the&nbsp;device&nbsp;screen&nbsp;for&nbsp;certain&nbsp;m</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">us&nbsp;application&nbsp;could&nbsp;monitor&nbsp;the&nbsp;device&nbsp;screen&nbsp;for&nbsp;certain&nbsp;m</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">odals&nbsp;(e.g.,&nbsp;the&nbsp;confirmation&nbsp;modal&nbsp;to&nbsp;uninstall&nbsp;an&nbsp;applicat</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">odals&nbsp;(e.g.,&nbsp;the&nbsp;confirmation&nbsp;modal&nbsp;to&nbsp;uninstall&nbsp;an&nbsp;applicat</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ion)&nbsp;and&nbsp;inject&nbsp;screen&nbsp;input&nbsp;or&nbsp;a&nbsp;back&nbsp;button&nbsp;tap&nbsp;to&nbsp;close&nbsp;t</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ion)&nbsp;and&nbsp;inject&nbsp;screen&nbsp;input&nbsp;or&nbsp;a&nbsp;back&nbsp;button&nbsp;tap&nbsp;to&nbsp;close&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">he&nbsp;modal.</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">he&nbsp;modal.&nbsp;For&nbsp;example,&nbsp;Android's&nbsp;`performGlobalAction(int)`&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">API&nbsp;could&nbsp;be&nbsp;utilized&nbsp;to&nbsp;prevent&nbsp;the&nbsp;user&nbsp;from&nbsp;removing&nbsp;the&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">malicious&nbsp;application&nbsp;from&nbsp;the&nbsp;device&nbsp;after&nbsp;installation.&nbsp;If</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;the&nbsp;user&nbsp;wants&nbsp;to&nbsp;uninstall&nbsp;the&nbsp;malicious&nbsp;application,&nbsp;two&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">cases&nbsp;may&nbsp;occur,&nbsp;both&nbsp;preventing&nbsp;the&nbsp;user&nbsp;from&nbsp;removing&nbsp;the&nbsp;</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">application.&nbsp;&nbsp;*&nbsp;Case&nbsp;1:&nbsp;If&nbsp;the&nbsp;integer&nbsp;argument&nbsp;passed&nbsp;to&nbsp;th</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;API&nbsp;call&nbsp;is&nbsp;`2`&nbsp;or&nbsp;`GLOBAL_ACTION_HOME`,&nbsp;the&nbsp;malicious&nbsp;app</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lication&nbsp;may&nbsp;direct&nbsp;the&nbsp;user&nbsp;to&nbsp;the&nbsp;home&nbsp;screen&nbsp;from&nbsp;setting</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">s&nbsp;screen&nbsp;&nbsp;&nbsp;*&nbsp;Case&nbsp;2:&nbsp;If&nbsp;the&nbsp;integer&nbsp;argument&nbsp;passed&nbsp;to&nbsp;the&nbsp;A</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">PI&nbsp;call&nbsp;is&nbsp;`1`&nbsp;or&nbsp;`GLOBAL_ACTION_BACK`,&nbsp;the&nbsp;malicious&nbsp;applic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ation&nbsp;may&nbsp;emulate&nbsp;the&nbsp;back&nbsp;press&nbsp;event&nbsp;</span></td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1006: Use Recent OS Version",
@@ -21434,7 +21434,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-16 16:23:05.146000+00:00\", \"old_value\": \"2022-04-19 15:36:12.312000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary with physical access to a mobile device may seek to bypass the device\\u2019s lockscreen. Several methods exist to accomplish this, including:\\n\\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\\u201cshoulder surfing\\u201d) the device owner\\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\\n\", \"old_value\": \"An adversary with physical access to a mobile device may seek to bypass the device\\u2019s lockscreen. Several methods exist to accomplish this, including:\\n\\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\\n* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\\u201cshoulder surfing\\u201d) the device owner\\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\\n\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n An adversary with physical access to a mobile device may seek to bypass the device\\u2019s lockscreen. Several methods exist to accomplish this, including:\\n \\n * Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\\n-* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\\u201cshoulder surfing\\u201d) the device owner\\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\\n+* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\\u201cshoulder surfing\\u201d) the device owner\\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\\n * Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}",
                     "previous_version": "1.2",
                     "version_change": "1.2 \u2192 1.3",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to50__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to50__0\"><a href=\"#difflib_chg_to50__top\">t</a></td><td class=\"diff_header\" id=\"from50_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;with&nbsp;physical&nbsp;access&nbsp;to&nbsp;a&nbsp;mobile&nbsp;device&nbsp;may&nbsp;see</td><td class=\"diff_next\"><a href=\"#difflib_chg_to50__top\">t</a></td><td class=\"diff_header\" id=\"to50_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;with&nbsp;physical&nbsp;access&nbsp;to&nbsp;a&nbsp;mobile&nbsp;device&nbsp;may&nbsp;see</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k&nbsp;to&nbsp;bypass&nbsp;the&nbsp;device\u2019s&nbsp;lockscreen.&nbsp;Several&nbsp;methods&nbsp;exist&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k&nbsp;to&nbsp;bypass&nbsp;the&nbsp;device\u2019s&nbsp;lockscreen.&nbsp;Several&nbsp;methods&nbsp;exist&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;accomplish&nbsp;this,&nbsp;including:&nbsp;&nbsp;*&nbsp;Biometric&nbsp;spoofing:&nbsp;If&nbsp;biom</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;accomplish&nbsp;this,&nbsp;including:&nbsp;&nbsp;*&nbsp;Biometric&nbsp;spoofing:&nbsp;If&nbsp;biom</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etric&nbsp;authentication&nbsp;is&nbsp;used,&nbsp;an&nbsp;adversary&nbsp;could&nbsp;attempt&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etric&nbsp;authentication&nbsp;is&nbsp;used,&nbsp;an&nbsp;adversary&nbsp;could&nbsp;attempt&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">spoof&nbsp;a&nbsp;mobile&nbsp;device\u2019s&nbsp;biometric&nbsp;authentication&nbsp;mechanism.&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">spoof&nbsp;a&nbsp;mobile&nbsp;device\u2019s&nbsp;biometric&nbsp;authentication&nbsp;mechanism.&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Both&nbsp;iOS&nbsp;and&nbsp;Android&nbsp;partly&nbsp;mitigate&nbsp;this&nbsp;attack&nbsp;by&nbsp;requirin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Both&nbsp;iOS&nbsp;and&nbsp;Android&nbsp;partly&nbsp;mitigate&nbsp;this&nbsp;attack&nbsp;by&nbsp;requirin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;the&nbsp;device\u2019s&nbsp;passcode&nbsp;rather&nbsp;than&nbsp;biometrics&nbsp;to&nbsp;unlock&nbsp;the</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;the&nbsp;device\u2019s&nbsp;passcode&nbsp;rather&nbsp;than&nbsp;biometrics&nbsp;to&nbsp;unlock&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;device&nbsp;after&nbsp;every&nbsp;device&nbsp;restart,&nbsp;and&nbsp;after&nbsp;a&nbsp;set&nbsp;or&nbsp;rando</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;device&nbsp;after&nbsp;every&nbsp;device&nbsp;restart,&nbsp;and&nbsp;after&nbsp;a&nbsp;set&nbsp;or&nbsp;rando</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">m&nbsp;amount&nbsp;of&nbsp;time.(Citation:&nbsp;SRLabs-Fingerprint)(Citation:&nbsp;Th</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">m&nbsp;amount&nbsp;of&nbsp;time.(Citation:&nbsp;SRLabs-Fingerprint)(Citation:&nbsp;Th</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eSun-FaceID)&nbsp;*&nbsp;Unlock&nbsp;code&nbsp;bypass:&nbsp;An&nbsp;adversar<span class=\"diff_chg\">ies&nbsp;could&nbsp;atte</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eSun-FaceID)&nbsp;*&nbsp;Unlock&nbsp;code&nbsp;bypass:&nbsp;An&nbsp;adversar<span class=\"diff_chg\">y&nbsp;could&nbsp;attemp</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">mpt&nbsp;to</span>&nbsp;brute-force&nbsp;or&nbsp;otherwise&nbsp;guess&nbsp;the&nbsp;lockscreen&nbsp;passcod</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">t&nbsp;to</span>&nbsp;brute-force&nbsp;or&nbsp;otherwise&nbsp;guess&nbsp;the&nbsp;lockscreen&nbsp;passcode&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;(typically&nbsp;a&nbsp;PIN&nbsp;or&nbsp;password),&nbsp;including&nbsp;physically&nbsp;observ</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(typically&nbsp;a&nbsp;PIN&nbsp;or&nbsp;password),&nbsp;including&nbsp;physically&nbsp;observin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;(\u201cshoulder&nbsp;surfing\u201d)&nbsp;the&nbsp;device&nbsp;owner\u2019s&nbsp;use&nbsp;of&nbsp;the&nbsp;locks</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;(\u201cshoulder&nbsp;surfing\u201d)&nbsp;the&nbsp;device&nbsp;owner\u2019s&nbsp;use&nbsp;of&nbsp;the&nbsp;lockscr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">creen&nbsp;passcode.&nbsp;Mobile&nbsp;OS&nbsp;vendors&nbsp;partly&nbsp;mitigate&nbsp;this&nbsp;by&nbsp;im</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">een&nbsp;passcode.&nbsp;Mobile&nbsp;OS&nbsp;vendors&nbsp;partly&nbsp;mitigate&nbsp;this&nbsp;by&nbsp;impl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plementing&nbsp;incremental&nbsp;backoff&nbsp;timers&nbsp;after&nbsp;a&nbsp;set&nbsp;number&nbsp;of&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ementing&nbsp;incremental&nbsp;backoff&nbsp;timers&nbsp;after&nbsp;a&nbsp;set&nbsp;number&nbsp;of&nbsp;fa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">failed&nbsp;unlock&nbsp;attempts,&nbsp;as&nbsp;well&nbsp;as&nbsp;a&nbsp;configurable&nbsp;full&nbsp;devic</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">iled&nbsp;unlock&nbsp;attempts,&nbsp;as&nbsp;well&nbsp;as&nbsp;a&nbsp;configurable&nbsp;full&nbsp;device&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;wipe&nbsp;after&nbsp;several&nbsp;failed&nbsp;unlock&nbsp;attempts.&nbsp;*&nbsp;Vulnerability</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">wipe&nbsp;after&nbsp;several&nbsp;failed&nbsp;unlock&nbsp;attempts.&nbsp;*&nbsp;Vulnerability&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;exploit:&nbsp;Techniques&nbsp;have&nbsp;been&nbsp;periodically&nbsp;demonstrated&nbsp;tha</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xploit:&nbsp;Techniques&nbsp;have&nbsp;been&nbsp;periodically&nbsp;demonstrated&nbsp;that&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;exploit&nbsp;mobile&nbsp;devices&nbsp;to&nbsp;bypass&nbsp;the&nbsp;lockscreen.&nbsp;The&nbsp;vulne</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">exploit&nbsp;mobile&nbsp;devices&nbsp;to&nbsp;bypass&nbsp;the&nbsp;lockscreen.&nbsp;The&nbsp;vulnera</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rabilities&nbsp;are&nbsp;generally&nbsp;patched&nbsp;by&nbsp;the&nbsp;device&nbsp;or&nbsp;OS&nbsp;vendor&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">bilities&nbsp;are&nbsp;generally&nbsp;patched&nbsp;by&nbsp;the&nbsp;device&nbsp;or&nbsp;OS&nbsp;vendor&nbsp;on</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">once&nbsp;disclosed.(Citation:&nbsp;Wired-AndroidBypass)(Citation:&nbsp;Kas</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;disclosed.(Citation:&nbsp;Wired-AndroidBypass)(Citation:&nbsp;Kaspe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">persky-iOSBypass)&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rsky-iOSBypass)&nbsp;</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to51__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to51__0\"><a href=\"#difflib_chg_to51__top\">t</a></td><td class=\"diff_header\" id=\"from51_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;with&nbsp;physical&nbsp;access&nbsp;to&nbsp;a&nbsp;mobile&nbsp;device&nbsp;may&nbsp;see</td><td class=\"diff_next\"><a href=\"#difflib_chg_to51__top\">t</a></td><td class=\"diff_header\" id=\"to51_1\">1</td><td nowrap=\"nowrap\">An&nbsp;adversary&nbsp;with&nbsp;physical&nbsp;access&nbsp;to&nbsp;a&nbsp;mobile&nbsp;device&nbsp;may&nbsp;see</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k&nbsp;to&nbsp;bypass&nbsp;the&nbsp;device\u2019s&nbsp;lockscreen.&nbsp;Several&nbsp;methods&nbsp;exist&nbsp;t</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k&nbsp;to&nbsp;bypass&nbsp;the&nbsp;device\u2019s&nbsp;lockscreen.&nbsp;Several&nbsp;methods&nbsp;exist&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;accomplish&nbsp;this,&nbsp;including:&nbsp;&nbsp;*&nbsp;Biometric&nbsp;spoofing:&nbsp;If&nbsp;biom</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">o&nbsp;accomplish&nbsp;this,&nbsp;including:&nbsp;&nbsp;*&nbsp;Biometric&nbsp;spoofing:&nbsp;If&nbsp;biom</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etric&nbsp;authentication&nbsp;is&nbsp;used,&nbsp;an&nbsp;adversary&nbsp;could&nbsp;attempt&nbsp;to&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">etric&nbsp;authentication&nbsp;is&nbsp;used,&nbsp;an&nbsp;adversary&nbsp;could&nbsp;attempt&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">spoof&nbsp;a&nbsp;mobile&nbsp;device\u2019s&nbsp;biometric&nbsp;authentication&nbsp;mechanism.&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">spoof&nbsp;a&nbsp;mobile&nbsp;device\u2019s&nbsp;biometric&nbsp;authentication&nbsp;mechanism.&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Both&nbsp;iOS&nbsp;and&nbsp;Android&nbsp;partly&nbsp;mitigate&nbsp;this&nbsp;attack&nbsp;by&nbsp;requirin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Both&nbsp;iOS&nbsp;and&nbsp;Android&nbsp;partly&nbsp;mitigate&nbsp;this&nbsp;attack&nbsp;by&nbsp;requirin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;the&nbsp;device\u2019s&nbsp;passcode&nbsp;rather&nbsp;than&nbsp;biometrics&nbsp;to&nbsp;unlock&nbsp;the</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;the&nbsp;device\u2019s&nbsp;passcode&nbsp;rather&nbsp;than&nbsp;biometrics&nbsp;to&nbsp;unlock&nbsp;the</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;device&nbsp;after&nbsp;every&nbsp;device&nbsp;restart,&nbsp;and&nbsp;after&nbsp;a&nbsp;set&nbsp;or&nbsp;rando</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;device&nbsp;after&nbsp;every&nbsp;device&nbsp;restart,&nbsp;and&nbsp;after&nbsp;a&nbsp;set&nbsp;or&nbsp;rando</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">m&nbsp;amount&nbsp;of&nbsp;time.(Citation:&nbsp;SRLabs-Fingerprint)(Citation:&nbsp;Th</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">m&nbsp;amount&nbsp;of&nbsp;time.(Citation:&nbsp;SRLabs-Fingerprint)(Citation:&nbsp;Th</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eSun-FaceID)&nbsp;*&nbsp;Unlock&nbsp;code&nbsp;bypass:&nbsp;An&nbsp;adversar<span class=\"diff_chg\">ies&nbsp;could&nbsp;atte</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eSun-FaceID)&nbsp;*&nbsp;Unlock&nbsp;code&nbsp;bypass:&nbsp;An&nbsp;adversar<span class=\"diff_chg\">y&nbsp;could&nbsp;attemp</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">mpt&nbsp;to</span>&nbsp;brute-force&nbsp;or&nbsp;otherwise&nbsp;guess&nbsp;the&nbsp;lockscreen&nbsp;passcod</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">t&nbsp;to</span>&nbsp;brute-force&nbsp;or&nbsp;otherwise&nbsp;guess&nbsp;the&nbsp;lockscreen&nbsp;passcode&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;(typically&nbsp;a&nbsp;PIN&nbsp;or&nbsp;password),&nbsp;including&nbsp;physically&nbsp;observ</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(typically&nbsp;a&nbsp;PIN&nbsp;or&nbsp;password),&nbsp;including&nbsp;physically&nbsp;observin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ing&nbsp;(\u201cshoulder&nbsp;surfing\u201d)&nbsp;the&nbsp;device&nbsp;owner\u2019s&nbsp;use&nbsp;of&nbsp;the&nbsp;locks</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;(\u201cshoulder&nbsp;surfing\u201d)&nbsp;the&nbsp;device&nbsp;owner\u2019s&nbsp;use&nbsp;of&nbsp;the&nbsp;lockscr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">creen&nbsp;passcode.&nbsp;Mobile&nbsp;OS&nbsp;vendors&nbsp;partly&nbsp;mitigate&nbsp;this&nbsp;by&nbsp;im</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">een&nbsp;passcode.&nbsp;Mobile&nbsp;OS&nbsp;vendors&nbsp;partly&nbsp;mitigate&nbsp;this&nbsp;by&nbsp;impl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plementing&nbsp;incremental&nbsp;backoff&nbsp;timers&nbsp;after&nbsp;a&nbsp;set&nbsp;number&nbsp;of&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ementing&nbsp;incremental&nbsp;backoff&nbsp;timers&nbsp;after&nbsp;a&nbsp;set&nbsp;number&nbsp;of&nbsp;fa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">failed&nbsp;unlock&nbsp;attempts,&nbsp;as&nbsp;well&nbsp;as&nbsp;a&nbsp;configurable&nbsp;full&nbsp;devic</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">iled&nbsp;unlock&nbsp;attempts,&nbsp;as&nbsp;well&nbsp;as&nbsp;a&nbsp;configurable&nbsp;full&nbsp;device&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;wipe&nbsp;after&nbsp;several&nbsp;failed&nbsp;unlock&nbsp;attempts.&nbsp;*&nbsp;Vulnerability</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">wipe&nbsp;after&nbsp;several&nbsp;failed&nbsp;unlock&nbsp;attempts.&nbsp;*&nbsp;Vulnerability&nbsp;e</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;exploit:&nbsp;Techniques&nbsp;have&nbsp;been&nbsp;periodically&nbsp;demonstrated&nbsp;tha</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">xploit:&nbsp;Techniques&nbsp;have&nbsp;been&nbsp;periodically&nbsp;demonstrated&nbsp;that&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;exploit&nbsp;mobile&nbsp;devices&nbsp;to&nbsp;bypass&nbsp;the&nbsp;lockscreen.&nbsp;The&nbsp;vulne</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">exploit&nbsp;mobile&nbsp;devices&nbsp;to&nbsp;bypass&nbsp;the&nbsp;lockscreen.&nbsp;The&nbsp;vulnera</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rabilities&nbsp;are&nbsp;generally&nbsp;patched&nbsp;by&nbsp;the&nbsp;device&nbsp;or&nbsp;OS&nbsp;vendor&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">bilities&nbsp;are&nbsp;generally&nbsp;patched&nbsp;by&nbsp;the&nbsp;device&nbsp;or&nbsp;OS&nbsp;vendor&nbsp;on</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">once&nbsp;disclosed.(Citation:&nbsp;Wired-AndroidBypass)(Citation:&nbsp;Kas</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;disclosed.(Citation:&nbsp;Wired-AndroidBypass)(Citation:&nbsp;Kaspe</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">persky-iOSBypass)&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rsky-iOSBypass)&nbsp;</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1001: Security Updates",
@@ -21910,7 +21910,7 @@
                     "x_mitre_version": "1.1",
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 19:19:37.927000+00:00\", \"old_value\": \"2023-03-20 15:45:44.103000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\", \"old_value\": \"Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.\"}}}",
                     "previous_version": "1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to53__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to53__0\"><a href=\"#difflib_chg_to53__top\">t</a></td><td class=\"diff_header\" id=\"from53_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;search&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations&nbsp;to&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to53__top\">t</a></td><td class=\"diff_header\" id=\"to53_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;search&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;can&nbsp;be&nbsp;stored&nbsp;in&nbsp;several&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;can&nbsp;be&nbsp;stored&nbsp;in&nbsp;several&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">places&nbsp;on&nbsp;a&nbsp;device,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;app</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">places&nbsp;on&nbsp;a&nbsp;device,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;app</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;ap</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;ap</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plications&nbsp;that&nbsp;store&nbsp;passwords&nbsp;to&nbsp;make&nbsp;it&nbsp;easier&nbsp;for&nbsp;users&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plications&nbsp;that&nbsp;store&nbsp;passwords&nbsp;to&nbsp;make&nbsp;it&nbsp;easier&nbsp;for&nbsp;users&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">manage&nbsp;and&nbsp;maintain.&nbsp;Once&nbsp;credentials&nbsp;are&nbsp;obtained,&nbsp;they&nbsp;can</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">to&nbsp;</span>manage&nbsp;and&nbsp;maintain.&nbsp;Once&nbsp;credentials&nbsp;are&nbsp;obtained,&nbsp;they&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;be&nbsp;used&nbsp;to&nbsp;perform&nbsp;lateral&nbsp;movement&nbsp;and&nbsp;access&nbsp;restricted&nbsp;i</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">can&nbsp;be&nbsp;used&nbsp;to&nbsp;perform&nbsp;lateral&nbsp;movement&nbsp;and&nbsp;access&nbsp;restricte</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nformation.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;information.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to50__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to50__0\"><a href=\"#difflib_chg_to50__top\">t</a></td><td class=\"diff_header\" id=\"from50_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;search&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations&nbsp;to&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to50__top\">t</a></td><td class=\"diff_header\" id=\"to50_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;search&nbsp;common&nbsp;password&nbsp;storage&nbsp;locations&nbsp;to&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;can&nbsp;be&nbsp;stored&nbsp;in&nbsp;several&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">obtain&nbsp;user&nbsp;credentials.&nbsp;Passwords&nbsp;can&nbsp;be&nbsp;stored&nbsp;in&nbsp;several&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">places&nbsp;on&nbsp;a&nbsp;device,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;app</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">places&nbsp;on&nbsp;a&nbsp;device,&nbsp;depending&nbsp;on&nbsp;the&nbsp;operating&nbsp;system&nbsp;or&nbsp;app</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;ap</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lication&nbsp;holding&nbsp;the&nbsp;credentials.&nbsp;There&nbsp;are&nbsp;also&nbsp;specific&nbsp;ap</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plications&nbsp;that&nbsp;store&nbsp;passwords&nbsp;to&nbsp;make&nbsp;it&nbsp;easier&nbsp;for&nbsp;users&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">plications&nbsp;that&nbsp;store&nbsp;passwords&nbsp;to&nbsp;make&nbsp;it&nbsp;easier&nbsp;for&nbsp;users&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">manage&nbsp;and&nbsp;maintain.&nbsp;Once&nbsp;credentials&nbsp;are&nbsp;obtained,&nbsp;they&nbsp;can</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">to&nbsp;</span>manage&nbsp;and&nbsp;maintain.&nbsp;Once&nbsp;credentials&nbsp;are&nbsp;obtained,&nbsp;they&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;be&nbsp;used&nbsp;to&nbsp;perform&nbsp;lateral&nbsp;movement&nbsp;and&nbsp;access&nbsp;restricted&nbsp;i</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">can&nbsp;be&nbsp;used&nbsp;to&nbsp;perform&nbsp;lateral&nbsp;movement&nbsp;and&nbsp;access&nbsp;restricte</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nformation.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;information.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1001: Security Updates",
@@ -22043,7 +22043,7 @@
                     "x_mitre_version": "1.1",
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 19:20:51.220000+00:00\", \"old_value\": \"2023-03-20 18:46:08.412000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \\n\\n\\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.\", \"old_value\": \"Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \\n\\n\\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \\n+Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \\n \\n \\n On Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.\"}}}",
                     "previous_version": "1.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to49__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to49__0\"><a href=\"#difflib_chg_to49__top\">t</a></td><td class=\"diff_header\" id=\"from49_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</td><td class=\"diff_next\"><a href=\"#difflib_chg_to49__top\">t</a></td><td class=\"diff_header\" id=\"to49_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cking&nbsp;the&nbsp;way&nbsp;an&nbsp;operating&nbsp;system&nbsp;run&nbsp;applications.&nbsp;Hijackin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cking&nbsp;the&nbsp;way&nbsp;an&nbsp;operating&nbsp;system&nbsp;run<span class=\"diff_add\">s</span>&nbsp;applications.&nbsp;Hijacki</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;execution&nbsp;flow&nbsp;can&nbsp;be&nbsp;for&nbsp;the&nbsp;purposes&nbsp;of&nbsp;persistence&nbsp;sinc</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;execution&nbsp;flow&nbsp;can&nbsp;be&nbsp;for&nbsp;the&nbsp;purposes&nbsp;of&nbsp;persistence&nbsp;sin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;this&nbsp;hijacked&nbsp;execution&nbsp;may&nbsp;reoccur&nbsp;at&nbsp;later&nbsp;points&nbsp;in&nbsp;tim</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;this&nbsp;hijacked&nbsp;execution&nbsp;may&nbsp;reoccur&nbsp;at&nbsp;later&nbsp;points&nbsp;in&nbsp;ti</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e.&nbsp;&nbsp;&nbsp;&nbsp;On&nbsp;Android,&nbsp;adversaries&nbsp;may&nbsp;overwrite&nbsp;the&nbsp;standard&nbsp;OS&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">me.&nbsp;&nbsp;&nbsp;&nbsp;On&nbsp;Android,&nbsp;adversaries&nbsp;may&nbsp;overwrite&nbsp;the&nbsp;standard&nbsp;OS</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">API&nbsp;library&nbsp;with&nbsp;a&nbsp;malicious&nbsp;alternative&nbsp;to&nbsp;hook&nbsp;into&nbsp;core&nbsp;f</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;API&nbsp;library&nbsp;with&nbsp;a&nbsp;malicious&nbsp;alternative&nbsp;to&nbsp;hook&nbsp;into&nbsp;core&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">unctions&nbsp;to&nbsp;achieve&nbsp;persistence.&nbsp;By&nbsp;doing&nbsp;this,&nbsp;the&nbsp;adversar</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">functions&nbsp;to&nbsp;achieve&nbsp;persistence.&nbsp;By&nbsp;doing&nbsp;this,&nbsp;the&nbsp;adversa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y\u2019s&nbsp;code&nbsp;will&nbsp;be&nbsp;executed&nbsp;every&nbsp;time&nbsp;the&nbsp;overwritten&nbsp;API&nbsp;fun</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ry\u2019s&nbsp;code&nbsp;will&nbsp;be&nbsp;executed&nbsp;every&nbsp;time&nbsp;the&nbsp;overwritten&nbsp;API&nbsp;fu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ction&nbsp;is&nbsp;called&nbsp;by&nbsp;an&nbsp;app&nbsp;on&nbsp;the&nbsp;infected&nbsp;device.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nction&nbsp;is&nbsp;called&nbsp;by&nbsp;an&nbsp;app&nbsp;on&nbsp;the&nbsp;infected&nbsp;device.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to53__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to53__0\"><a href=\"#difflib_chg_to53__top\">t</a></td><td class=\"diff_header\" id=\"from53_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</td><td class=\"diff_next\"><a href=\"#difflib_chg_to53__top\">t</a></td><td class=\"diff_header\" id=\"to53_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;execute&nbsp;their&nbsp;own&nbsp;malicious&nbsp;payloads&nbsp;by&nbsp;hija</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cking&nbsp;the&nbsp;way&nbsp;an&nbsp;operating&nbsp;system&nbsp;run&nbsp;applications.&nbsp;Hijackin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">cking&nbsp;the&nbsp;way&nbsp;an&nbsp;operating&nbsp;system&nbsp;run<span class=\"diff_add\">s</span>&nbsp;applications.&nbsp;Hijacki</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">g&nbsp;execution&nbsp;flow&nbsp;can&nbsp;be&nbsp;for&nbsp;the&nbsp;purposes&nbsp;of&nbsp;persistence&nbsp;sinc</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ng&nbsp;execution&nbsp;flow&nbsp;can&nbsp;be&nbsp;for&nbsp;the&nbsp;purposes&nbsp;of&nbsp;persistence&nbsp;sin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e&nbsp;this&nbsp;hijacked&nbsp;execution&nbsp;may&nbsp;reoccur&nbsp;at&nbsp;later&nbsp;points&nbsp;in&nbsp;tim</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ce&nbsp;this&nbsp;hijacked&nbsp;execution&nbsp;may&nbsp;reoccur&nbsp;at&nbsp;later&nbsp;points&nbsp;in&nbsp;ti</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e.&nbsp;&nbsp;&nbsp;&nbsp;On&nbsp;Android,&nbsp;adversaries&nbsp;may&nbsp;overwrite&nbsp;the&nbsp;standard&nbsp;OS&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">me.&nbsp;&nbsp;&nbsp;&nbsp;On&nbsp;Android,&nbsp;adversaries&nbsp;may&nbsp;overwrite&nbsp;the&nbsp;standard&nbsp;OS</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">API&nbsp;library&nbsp;with&nbsp;a&nbsp;malicious&nbsp;alternative&nbsp;to&nbsp;hook&nbsp;into&nbsp;core&nbsp;f</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;API&nbsp;library&nbsp;with&nbsp;a&nbsp;malicious&nbsp;alternative&nbsp;to&nbsp;hook&nbsp;into&nbsp;core&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">unctions&nbsp;to&nbsp;achieve&nbsp;persistence.&nbsp;By&nbsp;doing&nbsp;this,&nbsp;the&nbsp;adversar</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">functions&nbsp;to&nbsp;achieve&nbsp;persistence.&nbsp;By&nbsp;doing&nbsp;this,&nbsp;the&nbsp;adversa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y\u2019s&nbsp;code&nbsp;will&nbsp;be&nbsp;executed&nbsp;every&nbsp;time&nbsp;the&nbsp;overwritten&nbsp;API&nbsp;fun</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ry\u2019s&nbsp;code&nbsp;will&nbsp;be&nbsp;executed&nbsp;every&nbsp;time&nbsp;the&nbsp;overwritten&nbsp;API&nbsp;fu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ction&nbsp;is&nbsp;called&nbsp;by&nbsp;an&nbsp;app&nbsp;on&nbsp;the&nbsp;infected&nbsp;device.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nction&nbsp;is&nbsp;called&nbsp;by&nbsp;an&nbsp;app&nbsp;on&nbsp;the&nbsp;infected&nbsp;device.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [
                             "M1002: Attestation",
@@ -22196,7 +22196,7 @@
                     "x_mitre_version": "2.1",
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-08 19:21:40.736000+00:00\", \"old_value\": \"2023-03-20 18:51:58.228000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\", \"old_value\": \"Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\"}}}",
                     "previous_version": "2.1",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to51__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to51__0\"><a href=\"#difflib_chg_to51__top\">t</a></td><td class=\"diff_header\" id=\"from51_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;generate&nbsp;network&nbsp;traffic&nbsp;using&nbsp;a&nbsp;protocol&nbsp;an</td><td class=\"diff_next\"><a href=\"#difflib_chg_to51__top\">t</a></td><td class=\"diff_header\" id=\"to51_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;generate&nbsp;network&nbsp;traffic&nbsp;using&nbsp;a&nbsp;protocol&nbsp;an</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;port&nbsp;pa<span class=\"diff_chg\">ring</span>&nbsp;that&nbsp;are&nbsp;typically&nbsp;not&nbsp;associated.&nbsp;For&nbsp;example</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;port&nbsp;pa<span class=\"diff_chg\">iring</span>&nbsp;that&nbsp;are&nbsp;typically&nbsp;not&nbsp;associated.&nbsp;For&nbsp;exampl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;HTTPS&nbsp;over&nbsp;port&nbsp;8088&nbsp;or&nbsp;port&nbsp;587&nbsp;as&nbsp;opposed&nbsp;to&nbsp;the&nbsp;traditi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e,&nbsp;HTTPS&nbsp;over&nbsp;port&nbsp;8088&nbsp;or&nbsp;port&nbsp;587&nbsp;as&nbsp;opposed&nbsp;to&nbsp;the&nbsp;tradit</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">onal&nbsp;port&nbsp;443.&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;changes&nbsp;to&nbsp;the&nbsp;standard&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ional&nbsp;port&nbsp;443.&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;changes&nbsp;to&nbsp;the&nbsp;standard</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">port&nbsp;used&nbsp;by&nbsp;a&nbsp;protocol&nbsp;to&nbsp;bypass&nbsp;filtering&nbsp;or&nbsp;muddle&nbsp;analys</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;port&nbsp;used&nbsp;by&nbsp;a&nbsp;protocol&nbsp;to&nbsp;bypass&nbsp;filtering&nbsp;or&nbsp;muddle&nbsp;analy</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">is/parsing&nbsp;of&nbsp;network&nbsp;data.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sis/parsing&nbsp;of&nbsp;network&nbsp;data.</td></tr>\n        </tbody>\n    </table>",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to52__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to52__0\"><a href=\"#difflib_chg_to52__top\">t</a></td><td class=\"diff_header\" id=\"from52_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;generate&nbsp;network&nbsp;traffic&nbsp;using&nbsp;a&nbsp;protocol&nbsp;an</td><td class=\"diff_next\"><a href=\"#difflib_chg_to52__top\">t</a></td><td class=\"diff_header\" id=\"to52_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;generate&nbsp;network&nbsp;traffic&nbsp;using&nbsp;a&nbsp;protocol&nbsp;an</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;port&nbsp;pa<span class=\"diff_chg\">ring</span>&nbsp;that&nbsp;are&nbsp;typically&nbsp;not&nbsp;associated.&nbsp;For&nbsp;example</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;port&nbsp;pa<span class=\"diff_chg\">iring</span>&nbsp;that&nbsp;are&nbsp;typically&nbsp;not&nbsp;associated.&nbsp;For&nbsp;exampl</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">,&nbsp;HTTPS&nbsp;over&nbsp;port&nbsp;8088&nbsp;or&nbsp;port&nbsp;587&nbsp;as&nbsp;opposed&nbsp;to&nbsp;the&nbsp;traditi</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">e,&nbsp;HTTPS&nbsp;over&nbsp;port&nbsp;8088&nbsp;or&nbsp;port&nbsp;587&nbsp;as&nbsp;opposed&nbsp;to&nbsp;the&nbsp;tradit</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">onal&nbsp;port&nbsp;443.&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;changes&nbsp;to&nbsp;the&nbsp;standard&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ional&nbsp;port&nbsp;443.&nbsp;Adversaries&nbsp;may&nbsp;make&nbsp;changes&nbsp;to&nbsp;the&nbsp;standard</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">port&nbsp;used&nbsp;by&nbsp;a&nbsp;protocol&nbsp;to&nbsp;bypass&nbsp;filtering&nbsp;or&nbsp;muddle&nbsp;analys</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;port&nbsp;used&nbsp;by&nbsp;a&nbsp;protocol&nbsp;to&nbsp;bypass&nbsp;filtering&nbsp;or&nbsp;muddle&nbsp;analy</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">is/parsing&nbsp;of&nbsp;network&nbsp;data.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">sis/parsing&nbsp;of&nbsp;network&nbsp;data.</td></tr>\n        </tbody>\n    </table>",
                     "changelog_mitigations": {
                         "shared": [],
                         "new": [],
@@ -29204,7 +29204,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-10-04 18:10:49.054000+00:00\", \"old_value\": \"2023-03-22 03:51:04.185000+00:00\"}, \"root['description']\": {\"new_value\": \"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)\", \"old_value\": \"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"Mandiant FIN7 Apr 2022\", \"description\": \"Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.\", \"url\": \"https://www.mandiant.com/resources/evolution-of-fin7\"}}}",
                     "previous_version": "2.2",
                     "version_change": "2.2 \u2192 3.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to55__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to55__0\"><a href=\"#difflib_chg_to55__top\">t</a></td><td class=\"diff_header\" id=\"from55_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to55__top\">t</a></td><td class=\"diff_header\" id=\"to55_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013&nbsp;pr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013.&nbsp;[</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">imarily&nbsp;targeting&nbsp;the&nbsp;U.S.&nbsp;retail,&nbsp;restaurant,&nbsp;and&nbsp;hospitali</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">FIN7](https://attack.mitre.org/groups/G0046)&nbsp;has&nbsp;primarily&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ty&nbsp;sectors,&nbsp;often&nbsp;using&nbsp;point-of-sale&nbsp;malware.&nbsp;A&nbsp;portion&nbsp;of&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">argeted&nbsp;the&nbsp;retail,&nbsp;restaurant,&nbsp;hospitality,&nbsp;software,&nbsp;consu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;was&nbsp;run&nbsp;out&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lting,&nbsp;financial&nbsp;services,&nbsp;medical&nbsp;equipment,&nbsp;cloud&nbsp;services</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;front&nbsp;company&nbsp;called&nbsp;Combi&nbsp;Security.&nbsp;Since&nbsp;2020&nbsp;[FIN7](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">,&nbsp;media,&nbsp;food&nbsp;and&nbsp;beverage,&nbsp;transportation,&nbsp;and&nbsp;utilities&nbsp;in</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/groups/G0046)&nbsp;shifted&nbsp;operations&nbsp;to&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dustries&nbsp;in&nbsp;the&nbsp;U.S.&nbsp;A&nbsp;portion&nbsp;of&nbsp;[FIN7](https://attack.mitr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;big&nbsp;game&nbsp;hunting&nbsp;(BGH)&nbsp;approach&nbsp;including&nbsp;use&nbsp;of&nbsp;[REvil](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e.org/groups/G0046)&nbsp;was&nbsp;run&nbsp;out&nbsp;of&nbsp;a&nbsp;front&nbsp;company&nbsp;called&nbsp;Co</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/software/S0496)&nbsp;ransomware&nbsp;and&nbsp;their&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mbi&nbsp;Security&nbsp;and&nbsp;often&nbsp;used&nbsp;point-of-sale&nbsp;malware&nbsp;for&nbsp;target</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">own&nbsp;Ransomware&nbsp;as&nbsp;a&nbsp;Service&nbsp;(RaaS),&nbsp;Darkside.&nbsp;[FIN7](https:/</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ing&nbsp;efforts.&nbsp;Since&nbsp;2020,&nbsp;[FIN7](https://attack.mitre.org/gro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">/attack.mitre.org/groups/G0046)&nbsp;may&nbsp;be&nbsp;linked&nbsp;to&nbsp;the&nbsp;[Carban</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ups/G0046)&nbsp;shifted&nbsp;operations&nbsp;to&nbsp;a&nbsp;big&nbsp;game&nbsp;hunting&nbsp;(BGH)&nbsp;ap</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ak](https://attack.mitre.org/groups/G0008)&nbsp;Group,&nbsp;but&nbsp;there&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">proach&nbsp;including&nbsp;use&nbsp;of&nbsp;[REvil](https://attack.mitre.org/sof</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">appears&nbsp;to&nbsp;be&nbsp;several&nbsp;groups&nbsp;using&nbsp;[Carbanak](https://attack</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tware/S0496)&nbsp;ransomware&nbsp;and&nbsp;their&nbsp;own&nbsp;Ransomware&nbsp;as&nbsp;a&nbsp;Servic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.mitre.org/software/S0030)&nbsp;malware&nbsp;and&nbsp;are&nbsp;therefore&nbsp;tracked</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;(RaaS),&nbsp;Darkside.&nbsp;FIN7&nbsp;may&nbsp;be&nbsp;linked&nbsp;to&nbsp;the&nbsp;[Carbanak](htt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;separately.(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;March&nbsp;2017)(Citation:&nbsp;Fi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps://attack.mitre.org/groups/G0008)&nbsp;Group,&nbsp;but&nbsp;there&nbsp;appears</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">reEye&nbsp;FIN7&nbsp;April&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;CARBANAK&nbsp;June&nbsp;2017)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;to&nbsp;be&nbsp;several&nbsp;groups&nbsp;using&nbsp;[Carbanak](https://attack.mitre.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;Aug&nbsp;2018)(Citation:&nbsp;CrowdStrike&nbsp;Carb</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">org/software/S0030)&nbsp;malware&nbsp;and&nbsp;are&nbsp;therefore&nbsp;tracked&nbsp;separa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on&nbsp;Spider&nbsp;August&nbsp;2021)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tely.(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;March&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;F</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">IN7&nbsp;April&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;CARBANAK&nbsp;June&nbsp;2017)(Citati</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">on:&nbsp;FireEye&nbsp;FIN7&nbsp;Aug&nbsp;2018)(Citation:&nbsp;CrowdStrike&nbsp;Carbon&nbsp;Spid</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">er&nbsp;August&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;FIN7&nbsp;Apr&nbsp;2022)</span></td></tr>\n        </tbody>\n    </table>"
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to54__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to54__0\"><a href=\"#difflib_chg_to54__top\">t</a></td><td class=\"diff_header\" id=\"from54_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td><td class=\"diff_next\"><a href=\"#difflib_chg_to54__top\">t</a></td><td class=\"diff_header\" id=\"to54_1\">1</td><td nowrap=\"nowrap\"><span class=\"diff_add\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;is&nbsp;a&nbsp;financial</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013&nbsp;pr</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ly-motivated&nbsp;threat&nbsp;group&nbsp;that&nbsp;has&nbsp;been&nbsp;active&nbsp;since&nbsp;2013.&nbsp;[</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">imarily&nbsp;targeting&nbsp;the&nbsp;U.S.&nbsp;retail,&nbsp;restaurant,&nbsp;and&nbsp;hospitali</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">FIN7](https://attack.mitre.org/groups/G0046)&nbsp;has&nbsp;primarily&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ty&nbsp;sectors,&nbsp;often&nbsp;using&nbsp;point-of-sale&nbsp;malware.&nbsp;A&nbsp;portion&nbsp;of&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">argeted&nbsp;the&nbsp;retail,&nbsp;restaurant,&nbsp;hospitality,&nbsp;software,&nbsp;consu</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">[FIN7](https://attack.mitre.org/groups/G0046)&nbsp;was&nbsp;run&nbsp;out&nbsp;of</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">lting,&nbsp;financial&nbsp;services,&nbsp;medical&nbsp;equipment,&nbsp;cloud&nbsp;services</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;a&nbsp;front&nbsp;company&nbsp;called&nbsp;Combi&nbsp;Security.&nbsp;Since&nbsp;2020&nbsp;[FIN7](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">,&nbsp;media,&nbsp;food&nbsp;and&nbsp;beverage,&nbsp;transportation,&nbsp;and&nbsp;utilities&nbsp;in</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/groups/G0046)&nbsp;shifted&nbsp;operations&nbsp;to&nbsp;a</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">dustries&nbsp;in&nbsp;the&nbsp;U.S.&nbsp;A&nbsp;portion&nbsp;of&nbsp;[FIN7](https://attack.mitr</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;big&nbsp;game&nbsp;hunting&nbsp;(BGH)&nbsp;approach&nbsp;including&nbsp;use&nbsp;of&nbsp;[REvil](ht</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e.org/groups/G0046)&nbsp;was&nbsp;run&nbsp;out&nbsp;of&nbsp;a&nbsp;front&nbsp;company&nbsp;called&nbsp;Co</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">tps://attack.mitre.org/software/S0496)&nbsp;ransomware&nbsp;and&nbsp;their&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">mbi&nbsp;Security&nbsp;and&nbsp;often&nbsp;used&nbsp;point-of-sale&nbsp;malware&nbsp;for&nbsp;target</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">own&nbsp;Ransomware&nbsp;as&nbsp;a&nbsp;Service&nbsp;(RaaS),&nbsp;Darkside.&nbsp;[FIN7](https:/</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ing&nbsp;efforts.&nbsp;Since&nbsp;2020,&nbsp;[FIN7](https://attack.mitre.org/gro</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">/attack.mitre.org/groups/G0046)&nbsp;may&nbsp;be&nbsp;linked&nbsp;to&nbsp;the&nbsp;[Carban</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ups/G0046)&nbsp;shifted&nbsp;operations&nbsp;to&nbsp;a&nbsp;big&nbsp;game&nbsp;hunting&nbsp;(BGH)&nbsp;ap</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">ak](https://attack.mitre.org/groups/G0008)&nbsp;Group,&nbsp;but&nbsp;there&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">proach&nbsp;including&nbsp;use&nbsp;of&nbsp;[REvil](https://attack.mitre.org/sof</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">appears&nbsp;to&nbsp;be&nbsp;several&nbsp;groups&nbsp;using&nbsp;[Carbanak](https://attack</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tware/S0496)&nbsp;ransomware&nbsp;and&nbsp;their&nbsp;own&nbsp;Ransomware&nbsp;as&nbsp;a&nbsp;Servic</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">.mitre.org/software/S0030)&nbsp;malware&nbsp;and&nbsp;are&nbsp;therefore&nbsp;tracked</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">e&nbsp;(RaaS),&nbsp;Darkside.&nbsp;FIN7&nbsp;may&nbsp;be&nbsp;linked&nbsp;to&nbsp;the&nbsp;[Carbanak](htt</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">&nbsp;separately.(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;March&nbsp;2017)(Citation:&nbsp;Fi</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">ps://attack.mitre.org/groups/G0008)&nbsp;Group,&nbsp;but&nbsp;there&nbsp;appears</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">reEye&nbsp;FIN7&nbsp;April&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;CARBANAK&nbsp;June&nbsp;2017)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">&nbsp;to&nbsp;be&nbsp;several&nbsp;groups&nbsp;using&nbsp;[Carbanak](https://attack.mitre.</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;Aug&nbsp;2018)(Citation:&nbsp;CrowdStrike&nbsp;Carb</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">org/software/S0030)&nbsp;malware&nbsp;and&nbsp;are&nbsp;therefore&nbsp;tracked&nbsp;separa</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_sub\">on&nbsp;Spider&nbsp;August&nbsp;2021)</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">tely.(Citation:&nbsp;FireEye&nbsp;FIN7&nbsp;March&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;F</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">IN7&nbsp;April&nbsp;2017)(Citation:&nbsp;FireEye&nbsp;CARBANAK&nbsp;June&nbsp;2017)(Citati</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">on:&nbsp;FireEye&nbsp;FIN7&nbsp;Aug&nbsp;2018)(Citation:&nbsp;CrowdStrike&nbsp;Carbon&nbsp;Spid</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_add\">er&nbsp;August&nbsp;2021)(Citation:&nbsp;Mandiant&nbsp;FIN7&nbsp;Apr&nbsp;2022)</span></td></tr>\n        </tbody>\n    </table>"
                 },
                 {
                     "type": "intrusion-set",
@@ -29323,7 +29323,7 @@
                     "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-12 14:35:52.920000+00:00\", \"old_value\": \"2023-03-22 05:44:27.289000+00:00\"}, \"root['description']\": {\"new_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\", \"old_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.0\", \"old_value\": \"2.1\"}}, \"iterable_item_added\": {\"root['aliases'][4]\": \"FIN12\", \"root['aliases'][5]\": \"GOLD BLACKBURN\", \"root['aliases'][6]\": \"ITG23\", \"root['aliases'][7]\": \"Periwinkle Tempest\", \"root['external_references'][4]\": {\"source_name\": \"ITG23\", \"description\": \"(Citation: IBM X-Force ITG23 Oct 2021)\"}, \"root['external_references'][5]\": {\"source_name\": \"FIN12\", \"description\": \"(Citation: Mandiant FIN12 Oct 2021)\"}, \"root['external_references'][6]\": {\"source_name\": \"GOLD BLACKBURN\", \"description\": \"(Citation: Secureworks Gold Blackburn Mar 2022)\"}, \"root['external_references'][7]\": {\"source_name\": \"Periwinkle Tempest\", \"description\": \"(Citation: Secureworks Gold Blackburn Mar 2022)\"}, \"root['external_references'][14]\": {\"source_name\": \"Secureworks Gold Blackburn Mar 2022\", \"description\": \"Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.\", \"url\": \"https://www.secureworks.com/research/threat-profiles/gold-blackburn\"}, \"root['external_references'][15]\": {\"source_name\": \"Mandiant FIN12 Oct 2021\", \"description\": \"Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.\", \"url\": \"https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf\"}, \"root['external_references'][16]\": {\"source_name\": \"IBM X-Force ITG23 Oct 2021\", \"description\": \"Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.\", \"url\": \"https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\"}}}",
                     "previous_version": "2.1",
                     "version_change": "2.1 \u2192 3.0",
-                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to54__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to54__0\"><a href=\"#difflib_chg_to54__top\">t</a></td><td class=\"diff_header\" id=\"from54_1\">1</td><td nowrap=\"nowrap\">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to54__top\">t</a></td><td class=\"diff_header\" id=\"to54_1\">1</td><td nowrap=\"nowrap\">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;possesses&nbsp;a&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;possesses&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">diverse&nbsp;ar<span class=\"diff_chg\">senal</span>&nbsp;of&nbsp;tools&nbsp;and&nbsp;has&nbsp;conducted&nbsp;ransomware&nbsp;campai</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">diverse&nbsp;ar<span class=\"diff_chg\">esenal</span>&nbsp;of&nbsp;tools&nbsp;and&nbsp;has&nbsp;conducted&nbsp;ransomware&nbsp;campa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">gns&nbsp;against&nbsp;a&nbsp;variety&nbsp;of&nbsp;organizations,&nbsp;ranging&nbsp;from&nbsp;major&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">igns&nbsp;against&nbsp;a&nbsp;variety&nbsp;of&nbsp;organizations,&nbsp;ranging&nbsp;from&nbsp;major&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">orporations&nbsp;to&nbsp;hospitals.(Citation:&nbsp;CrowdStrike&nbsp;Ryuk&nbsp;January</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">corporations&nbsp;to&nbsp;hospitals.(Citation:&nbsp;CrowdStrike&nbsp;Ryuk&nbsp;Januar</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;2019)(Citation:&nbsp;DHS/CISA&nbsp;Ransomware&nbsp;Targeting&nbsp;Healthcare&nbsp;Oc</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;2019)(Citation:&nbsp;DHS/CISA&nbsp;Ransomware&nbsp;Targeting&nbsp;Healthcare&nbsp;O</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tober&nbsp;2020)(Citation:&nbsp;CrowdStrike&nbsp;Wizard&nbsp;Spider&nbsp;October&nbsp;2020</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ctober&nbsp;2020)(Citation:&nbsp;CrowdStrike&nbsp;Wizard&nbsp;Spider&nbsp;October&nbsp;202</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">0)</td></tr>\n        </tbody>\n    </table>"
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to55__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to55__0\"><a href=\"#difflib_chg_to55__top\">t</a></td><td class=\"diff_header\" id=\"from55_1\">1</td><td nowrap=\"nowrap\">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to55__top\">t</a></td><td class=\"diff_header\" id=\"to55_1\">1</td><td nowrap=\"nowrap\">[Wizard&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;is&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Russia-based&nbsp;financially&nbsp;motivated&nbsp;threat&nbsp;group&nbsp;originally&nbsp;k</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nown&nbsp;for&nbsp;the&nbsp;creation&nbsp;and&nbsp;deployment&nbsp;of&nbsp;[TrickBot](https://a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ttack.mitre.org/software/S0266)&nbsp;since&nbsp;at&nbsp;least&nbsp;2016.&nbsp;[Wizard</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;possesses&nbsp;a&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Spider](https://attack.mitre.org/groups/G0102)&nbsp;possesses&nbsp;a&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">diverse&nbsp;ar<span class=\"diff_chg\">senal</span>&nbsp;of&nbsp;tools&nbsp;and&nbsp;has&nbsp;conducted&nbsp;ransomware&nbsp;campai</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">diverse&nbsp;ar<span class=\"diff_chg\">esenal</span>&nbsp;of&nbsp;tools&nbsp;and&nbsp;has&nbsp;conducted&nbsp;ransomware&nbsp;campa</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">gns&nbsp;against&nbsp;a&nbsp;variety&nbsp;of&nbsp;organizations,&nbsp;ranging&nbsp;from&nbsp;major&nbsp;c</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">igns&nbsp;against&nbsp;a&nbsp;variety&nbsp;of&nbsp;organizations,&nbsp;ranging&nbsp;from&nbsp;major&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">orporations&nbsp;to&nbsp;hospitals.(Citation:&nbsp;CrowdStrike&nbsp;Ryuk&nbsp;January</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">corporations&nbsp;to&nbsp;hospitals.(Citation:&nbsp;CrowdStrike&nbsp;Ryuk&nbsp;Januar</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;2019)(Citation:&nbsp;DHS/CISA&nbsp;Ransomware&nbsp;Targeting&nbsp;Healthcare&nbsp;Oc</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;2019)(Citation:&nbsp;DHS/CISA&nbsp;Ransomware&nbsp;Targeting&nbsp;Healthcare&nbsp;O</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tober&nbsp;2020)(Citation:&nbsp;CrowdStrike&nbsp;Wizard&nbsp;Spider&nbsp;October&nbsp;2020</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ctober&nbsp;2020)(Citation:&nbsp;CrowdStrike&nbsp;Wizard&nbsp;Spider&nbsp;October&nbsp;202</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">0)</td></tr>\n        </tbody>\n    </table>"
                 }
             ],
             "minor_version_changes": [
@@ -29660,7 +29660,58 @@
             "other_version_changes": [],
             "patches": [],
             "revocations": [],
-            "deprecations": [],
+            "deprecations": [
+                {
+                    "type": "campaign",
+                    "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-20 20:53:14.373000+00:00",
+                    "modified": "2023-09-20 22:40:13.147000+00:00",
+                    "name": "Oldsmar Treatment Plant Intrusion",
+                    "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)",
+                    "aliases": [
+                        "Oldsmar Treatment Plant Intrusion"
+                    ],
+                    "first_seen": "2021-02-01 05:00:00+00:00",
+                    "last_seen": "2021-02-01 05:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0009",
+                            "external_id": "C0009"
+                        },
+                        {
+                            "source_name": "CISA AA21-042A Water Treatment Intrusion Feb 2021",
+                            "description": "CISA. (2021, February 11). Compromise of U.S. Water Treatment Facility . Retrieved October 18, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-042a"
+                        },
+                        {
+                            "source_name": "Pinellas County Sheriffs Office February 2021",
+                            "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ",
+                            "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M"
+                        },
+                        {
+                            "source_name": "Dragos Oldsmar Feb 2021",
+                            "description": "Serino, G., et al . (2021, February 8). Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack. Retrieved October 21, 2022.",
+                            "url": "https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.1.0",
+                    "x_mitre_deprecated": true,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
+                    "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-09-20 22:40:13.147000+00:00\", \"old_value\": \"2022-10-21 15:56:01.070000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.1.0\", \"old_value\": \"3.0.0\"}, \"root['x_mitre_deprecated']\": {\"new_value\": true, \"old_value\": false}}}"
+                }
+            ],
             "deletions": []
         },
         "assets": {
diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/layer-enterprise.json b/modules/resources/docs/changelogs/v13.1-v14.0/layer-enterprise.json
index 28226b447f6..d382b4735f2 100644
--- a/modules/resources/docs/changelogs/v13.1-v14.0/layer-enterprise.json
+++ b/modules/resources/docs/changelogs/v13.1-v14.0/layer-enterprise.json
@@ -4,8 +4,8 @@
         "navigator": "4.8.0",
         "attack": "14.0"
     },
-    "name": "October 2023 Enterprise Updates",
-    "description": "Enterprise updates for the October 2023 release of ATT&CK",
+    "name": "November 2023 Enterprise Updates",
+    "description": "Enterprise updates for the November 2023 release of ATT&CK",
     "domain": "enterprise-attack",
     "techniques": [
         {
@@ -1122,15 +1122,15 @@
             "comment": "minor_version_change"
         },
         {
-            "techniqueID": "T1566.002",
-            "tactic": "initial-access",
+            "techniqueID": "T1598.003",
+            "tactic": "reconnaissance",
             "enabled": true,
             "color": "#c7c4e0",
             "comment": "minor_version_change"
         },
         {
-            "techniqueID": "T1598.003",
-            "tactic": "reconnaissance",
+            "techniqueID": "T1566.002",
+            "tactic": "initial-access",
             "enabled": true,
             "color": "#c7c4e0",
             "comment": "minor_version_change"
diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/layer-ics.json b/modules/resources/docs/changelogs/v13.1-v14.0/layer-ics.json
index 2931319f1d4..5594a87e907 100644
--- a/modules/resources/docs/changelogs/v13.1-v14.0/layer-ics.json
+++ b/modules/resources/docs/changelogs/v13.1-v14.0/layer-ics.json
@@ -4,8 +4,8 @@
         "navigator": "4.8.0",
         "attack": "14.0"
     },
-    "name": "October 2023 ICS Updates",
-    "description": "ICS updates for the October 2023 release of ATT&CK",
+    "name": "November 2023 ICS Updates",
+    "description": "ICS updates for the November 2023 release of ATT&CK",
     "domain": "ics-attack",
     "techniques": [
         {
diff --git a/modules/resources/docs/changelogs/v13.1-v14.0/layer-mobile.json b/modules/resources/docs/changelogs/v13.1-v14.0/layer-mobile.json
index 61827882e27..119afdf7189 100644
--- a/modules/resources/docs/changelogs/v13.1-v14.0/layer-mobile.json
+++ b/modules/resources/docs/changelogs/v13.1-v14.0/layer-mobile.json
@@ -4,8 +4,8 @@
         "navigator": "4.8.0",
         "attack": "14.0"
     },
-    "name": "October 2023 Mobile Updates",
-    "description": "Mobile updates for the October 2023 release of ATT&CK",
+    "name": "November 2023 Mobile Updates",
+    "description": "Mobile updates for the November 2023 release of ATT&CK",
     "domain": "mobile-attack",
     "techniques": [
         {
diff --git a/modules/resources/docs/changelogs/v14.0-v14.1/changelog-detailed.html b/modules/resources/docs/changelogs/v14.0-v14.1/changelog-detailed.html
new file mode 100644
index 00000000000..fd582b1de82
--- /dev/null
+++ b/modules/resources/docs/changelogs/v14.0-v14.1/changelog-detailed.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>ATT&CK Changes</title>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf8">
+        <style type="text/css">
+            table.diff {font-family:Courier; border:medium;}
+            .diff_header {background-color:#e0e0e0}
+            td.diff_header {text-align:right}
+            .diff_next {background-color:#c0c0c0}
+            .diff_add {background-color:#aaffaa}
+            .diff_chg {background-color:#ffff77}
+            .diff_sub {background-color:#ffaaaa}
+        </style>
+    </head>
+    <body>
+<h1>ATT&CK Changes Between v14.0 and v14.1</h1><h2>Key</h2>
+<ul>
+<li>New objects: ATT&amp;CK objects which are only present in the new release.</li>
+<li>Major version changes: ATT&amp;CK objects that have a major version change. (e.g. 1.0 → 2.0)</li>
+<li>Minor version changes: ATT&amp;CK objects that have a minor version change. (e.g. 1.0 → 1.1)</li>
+<li>Other version changes: ATT&amp;CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)</li>
+<li>Patches: ATT&amp;CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)</li>
+<li>Object revocations: ATT&amp;CK objects which are revoked by a different object.</li>
+<li>Object deprecations: ATT&amp;CK objects which are deprecated and no longer in use, and not replaced.</li>
+<li>Object deletions: ATT&amp;CK objects which are no longer found in the STIX data.</li>
+</ul><table class=diff summary=Legends>
+    <tr>
+        <td>
+            <table border= summary=Colors>
+                <tr><th>Colors for description field</th></tr>
+                <tr><td class=diff_add>Added</td></tr>
+                <tr><td class=diff_chg>Changed</td></tr>
+                <tr><td class=diff_sub>Deleted</td></tr>
+            </table>
+        </td>
+    </tr>
+</table>
+<h2>Additional formats</h2>
+<p>These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.</p>
+<ul>
+    <li><a href="/docs/changelogs/v14.0-v14.1/layer-enterprise.json">Enterprise changes</a></li>
+    <li><a href="/docs/changelogs/v14.0-v14.1/layer-mobile.json">Mobile changes</a></li>
+    <li><a href="/docs/changelogs/v14.0-v14.1/layer-ics.json">ICS changes</a></li>
+</ul>
+<p>This JSON file contains the machine readble output used to create this page: <a href="/docs/changelogs/v14.0-v14.1/changelog.json">changelog.json</a></p>
+<h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>Patches</summary><hr><h4>[T1564.011] Hide Artifacts: Ignore Process Interrupts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_contributors</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['Viren Chaudhari, Qualys']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-06 20:17:26.167000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-11-06 20:14:51.609000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr></tbody></table></details></details><h2>Software</h2><h3>enterprise-attack</h3><details><summary>Minor Version Changes</summary><hr><h4>[S0373] Astaroth</h4><p><b>Current version</b>: 2.2</p><p><b>Version changed from</b>: 2.1 → 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-03-21 21:20:23.717000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-11-06 20:12:28.502000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'>2.2</td></tr></tbody></table></details></details><h2>Data Components</h2><h3>enterprise-attack</h3><details><summary>Patches</summary><hr><h4>File: File Metadata</h4><p><b>Current version</b>: 1.0</p>
+    <table class="diff" id="difflib_chg_to56__top"
+           cellspacing="0" cellpadding="0" rules="groups" >
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
+        <tbody>
+            <tr><td class="diff_next" id="difflib_chg_to56__0"><a href="#difflib_chg_to56__top">t</a></td><td class="diff_header" id="from56_1">1</td><td nowrap="nowrap">Contextual&nbsp;data&nbsp;about&nbsp;a&nbsp;file,&nbsp;which&nbsp;may&nbsp;include&nbsp;information&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to56__top">t</a></td><td class="diff_header" id="to56_1">1</td><td nowrap="nowrap">Contextual&nbsp;data&nbsp;about&nbsp;a&nbsp;file,&nbsp;which&nbsp;may&nbsp;include&nbsp;information&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">such&nbsp;as&nbsp;name,&nbsp;the&nbsp;content&nbsp;(ex:&nbsp;signature,&nbsp;headers,&nbsp;or&nbsp;data/m</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">such&nbsp;as&nbsp;name,&nbsp;the&nbsp;content&nbsp;(ex:&nbsp;signature,&nbsp;headers,&nbsp;or&nbsp;data/m</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">edia),&nbsp;user/ower,&nbsp;permissions,&nbsp;etc.</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">edia),&nbsp;user/ow<span class="diff_add">n</span>er,&nbsp;permissions,&nbsp;etc.</td></tr>
+        </tbody>
+    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-10-20T15:05:19.273Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-11-01T21:18:51.941Z</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.</td><td style='border: 1px solid black;border-collapse: collapse;'>Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>File: File Metadata</h4><p><b>Current version</b>: 1.0</p>
+    <table class="diff" id="difflib_chg_to57__top"
+           cellspacing="0" cellpadding="0" rules="groups" >
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
+        <tbody>
+            <tr><td class="diff_next" id="difflib_chg_to57__0"><a href="#difflib_chg_to57__top">t</a></td><td class="diff_header" id="from57_1">1</td><td nowrap="nowrap">Contextual&nbsp;data&nbsp;about&nbsp;a&nbsp;file,&nbsp;which&nbsp;may&nbsp;include&nbsp;information&nbsp;</td><td class="diff_next"><a href="#difflib_chg_to57__top">t</a></td><td class="diff_header" id="to57_1">1</td><td nowrap="nowrap">Contextual&nbsp;data&nbsp;about&nbsp;a&nbsp;file,&nbsp;which&nbsp;may&nbsp;include&nbsp;information&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">such&nbsp;as&nbsp;name,&nbsp;the&nbsp;content&nbsp;(ex:&nbsp;signature,&nbsp;headers,&nbsp;or&nbsp;data/m</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">such&nbsp;as&nbsp;name,&nbsp;the&nbsp;content&nbsp;(ex:&nbsp;signature,&nbsp;headers,&nbsp;or&nbsp;data/m</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">edia),&nbsp;user/ower,&nbsp;permissions,&nbsp;etc.</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">edia),&nbsp;user/ow<span class="diff_add">n</span>er,&nbsp;permissions,&nbsp;etc.</td></tr>
+        </tbody>
+    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_deprecated</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2021-10-20T15:05:19.273Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-11-01T21:18:51.941Z</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.</td><td style='border: 1px solid black;border-collapse: collapse;'>Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td></tr></tbody></table></details></details>
+            </body>
+        </html>
+        
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v14.0-v14.1/changelog.json b/modules/resources/docs/changelogs/v14.0-v14.1/changelog.json
new file mode 100644
index 00000000000..d113937c9dc
--- /dev/null
+++ b/modules/resources/docs/changelogs/v14.0-v14.1/changelog.json
@@ -0,0 +1,436 @@
+{
+    "enterprise-attack": {
+        "techniques": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-08-24 17:23:34.470000+00:00",
+                    "modified": "2023-11-06 20:14:51.609000+00:00",
+                    "name": "Ignore Process Interrupts",
+                    "description": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man)  These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. \n\nAdversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n\nHiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/011",
+                            "external_id": "T1564.011"
+                        },
+                        {
+                            "source_name": "Linux Signal Man",
+                            "description": "Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.",
+                            "url": "https://man7.org/linux/man-pages/man7/signal.7.html"
+                        },
+                        {
+                            "source_name": "nohup Linux Man",
+                            "description": "Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.",
+                            "url": "https://linux.die.net/man/1/nohup"
+                        },
+                        {
+                            "source_name": "Microsoft PowerShell SilentlyContinue",
+                            "description": "Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.",
+                            "url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.2.0",
+                    "x_mitre_contributors": [
+                        "Viren Chaudhari, Qualys"
+                    ],
+                    "x_mitre_data_sources": [
+                        "Process: Process Creation",
+                        "Command: Command Execution"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_detection": "",
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Viren Chaudhari, Qualys\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-11-06 20:14:51.609000+00:00\", \"old_value\": \"2023-09-06 20:17:26.167000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detections": {
+                        "shared": [
+                            "DS0009: Process (Process Creation)",
+                            "DS0017: Command (Command Execution)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "software": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [
+                {
+                    "type": "malware",
+                    "id": "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-04-17 13:46:38.565000+00:00",
+                    "modified": "2023-11-06 20:12:28.502000+00:00",
+                    "name": "Astaroth",
+                    "description": "[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0373",
+                            "external_id": "S0373"
+                        },
+                        {
+                            "source_name": "Guildma",
+                            "description": "(Citation: Securelist Brazilian Banking Malware July 2020)"
+                        },
+                        {
+                            "source_name": "Cofense Astaroth Sept 2018",
+                            "description": "Doaty, J., Garrett, P.. (2018, September 10). We\u2019re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.",
+                            "url": "https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/"
+                        },
+                        {
+                            "source_name": "Securelist Brazilian Banking Malware July 2020",
+                            "description": "GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.",
+                            "url": "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/"
+                        },
+                        {
+                            "source_name": "Cybereason Astaroth Feb 2019",
+                            "description": "Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.",
+                            "url": "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Astaroth",
+                        "Guildma"
+                    ],
+                    "x_mitre_attack_spec_version": "3.2.0",
+                    "x_mitre_contributors": [
+                        "Carlos Borges, @huntingneo, CIP"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-11-06 20:12:28.502000+00:00\", \"old_value\": \"2023-03-21 21:20:23.717000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"3.1.0\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.2\", \"old_value\": \"2.1\"}}}",
+                    "previous_version": "2.1",
+                    "version_change": "2.1 \u2192 2.2"
+                }
+            ],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "groups": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "campaigns": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "assets": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "mitigations": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datasources": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datacomponents": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "modified": "2023-11-01T21:18:51.941Z",
+                    "name": "File Metadata",
+                    "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.",
+                    "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_version": "1.0",
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
+                    "created": "2021-10-20T15:05:19.273Z",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "revoked": false,
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.2.0",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false, \"root['revoked']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-11-01T21:18:51.941Z\", \"old_value\": \"2021-10-20T15:05:19.273Z\"}, \"root['description']\": {\"new_value\": \"Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.\", \"old_value\": \"Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}}}",
+                    "previous_version": "1.0",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to56__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to56__0\"><a href=\"#difflib_chg_to56__top\">t</a></td><td class=\"diff_header\" id=\"from56_1\">1</td><td nowrap=\"nowrap\">Contextual&nbsp;data&nbsp;about&nbsp;a&nbsp;file,&nbsp;which&nbsp;may&nbsp;include&nbsp;information&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to56__top\">t</a></td><td class=\"diff_header\" id=\"to56_1\">1</td><td nowrap=\"nowrap\">Contextual&nbsp;data&nbsp;about&nbsp;a&nbsp;file,&nbsp;which&nbsp;may&nbsp;include&nbsp;information&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">such&nbsp;as&nbsp;name,&nbsp;the&nbsp;content&nbsp;(ex:&nbsp;signature,&nbsp;headers,&nbsp;or&nbsp;data/m</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">such&nbsp;as&nbsp;name,&nbsp;the&nbsp;content&nbsp;(ex:&nbsp;signature,&nbsp;headers,&nbsp;or&nbsp;data/m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">edia),&nbsp;user/ower,&nbsp;permissions,&nbsp;etc.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">edia),&nbsp;user/ow<span class=\"diff_add\">n</span>er,&nbsp;permissions,&nbsp;etc.</td></tr>\n        </tbody>\n    </table>"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        }
+    },
+    "mobile-attack": {
+        "techniques": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "software": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "groups": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "campaigns": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "assets": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "mitigations": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datasources": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datacomponents": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        }
+    },
+    "ics-attack": {
+        "techniques": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "software": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "groups": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "campaigns": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "assets": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "mitigations": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datasources": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datacomponents": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "modified": "2023-11-01T21:18:51.941Z",
+                    "name": "File Metadata",
+                    "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.",
+                    "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_version": "1.0",
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
+                    "created": "2021-10-20T15:05:19.273Z",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "revoked": false,
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.2.0",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": false, \"root['revoked']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2023-11-01T21:18:51.941Z\", \"old_value\": \"2021-10-20T15:05:19.273Z\"}, \"root['description']\": {\"new_value\": \"Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.\", \"old_value\": \"Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.2.0\", \"old_value\": \"2.1.0\"}}}",
+                    "previous_version": "1.0",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to57__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to57__0\"><a href=\"#difflib_chg_to57__top\">t</a></td><td class=\"diff_header\" id=\"from57_1\">1</td><td nowrap=\"nowrap\">Contextual&nbsp;data&nbsp;about&nbsp;a&nbsp;file,&nbsp;which&nbsp;may&nbsp;include&nbsp;information&nbsp;</td><td class=\"diff_next\"><a href=\"#difflib_chg_to57__top\">t</a></td><td class=\"diff_header\" id=\"to57_1\">1</td><td nowrap=\"nowrap\">Contextual&nbsp;data&nbsp;about&nbsp;a&nbsp;file,&nbsp;which&nbsp;may&nbsp;include&nbsp;information&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">such&nbsp;as&nbsp;name,&nbsp;the&nbsp;content&nbsp;(ex:&nbsp;signature,&nbsp;headers,&nbsp;or&nbsp;data/m</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">such&nbsp;as&nbsp;name,&nbsp;the&nbsp;content&nbsp;(ex:&nbsp;signature,&nbsp;headers,&nbsp;or&nbsp;data/m</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">edia),&nbsp;user/ower,&nbsp;permissions,&nbsp;etc.</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">edia),&nbsp;user/ow<span class=\"diff_add\">n</span>er,&nbsp;permissions,&nbsp;etc.</td></tr>\n        </tbody>\n    </table>"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        }
+    },
+    "new-contributors": [
+        "Viren Chaudhari, Qualys"
+    ]
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v14.0-v14.1/layer-enterprise.json b/modules/resources/docs/changelogs/v14.0-v14.1/layer-enterprise.json
new file mode 100644
index 00000000000..790c5a65fc3
--- /dev/null
+++ b/modules/resources/docs/changelogs/v14.0-v14.1/layer-enterprise.json
@@ -0,0 +1,62 @@
+{
+    "versions": {
+        "layer": "4.4",
+        "navigator": "4.8.0",
+        "attack": "14.1"
+    },
+    "name": "November 2023 Enterprise Updates",
+    "description": "Enterprise updates for the November 2023 release of ATT&CK",
+    "domain": "enterprise-attack",
+    "techniques": [
+        {
+            "techniqueID": "T1564.011",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        }
+    ],
+    "sorting": 0,
+    "hideDisabled": false,
+    "legendItems": [
+        {
+            "color": "#a1d99b",
+            "label": "additions: ATT&CK objects which are only present in the new release."
+        },
+        {
+            "color": "#fcf3a2",
+            "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+        },
+        {
+            "color": "#c7c4e0",
+            "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+        },
+        {
+            "color": "#B5E5CF",
+            "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+        },
+        {
+            "color": "#B99095",
+            "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+        },
+        {
+            "color": "#ff9000",
+            "label": "revocations: ATT&CK objects which are revoked by a different object."
+        },
+        {
+            "color": "#ff6363",
+            "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+        },
+        {
+            "color": "#ff00e1",
+            "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+        },
+        {
+            "color": "#ffffff",
+            "label": "unchanged: ATT&CK objects which did not change between the two versions."
+        }
+    ],
+    "showTacticRowBackground": true,
+    "tacticRowBackground": "#205b8f",
+    "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v14.0-v14.1/layer-ics.json b/modules/resources/docs/changelogs/v14.0-v14.1/layer-ics.json
new file mode 100644
index 00000000000..e26cfcf1c2f
--- /dev/null
+++ b/modules/resources/docs/changelogs/v14.0-v14.1/layer-ics.json
@@ -0,0 +1,54 @@
+{
+    "versions": {
+        "layer": "4.4",
+        "navigator": "4.8.0",
+        "attack": "14.1"
+    },
+    "name": "November 2023 ICS Updates",
+    "description": "ICS updates for the November 2023 release of ATT&CK",
+    "domain": "ics-attack",
+    "techniques": [],
+    "sorting": 0,
+    "hideDisabled": false,
+    "legendItems": [
+        {
+            "color": "#a1d99b",
+            "label": "additions: ATT&CK objects which are only present in the new release."
+        },
+        {
+            "color": "#fcf3a2",
+            "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+        },
+        {
+            "color": "#c7c4e0",
+            "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+        },
+        {
+            "color": "#B5E5CF",
+            "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+        },
+        {
+            "color": "#B99095",
+            "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+        },
+        {
+            "color": "#ff9000",
+            "label": "revocations: ATT&CK objects which are revoked by a different object."
+        },
+        {
+            "color": "#ff6363",
+            "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+        },
+        {
+            "color": "#ff00e1",
+            "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+        },
+        {
+            "color": "#ffffff",
+            "label": "unchanged: ATT&CK objects which did not change between the two versions."
+        }
+    ],
+    "showTacticRowBackground": true,
+    "tacticRowBackground": "#205b8f",
+    "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v14.0-v14.1/layer-mobile.json b/modules/resources/docs/changelogs/v14.0-v14.1/layer-mobile.json
new file mode 100644
index 00000000000..b83885b90df
--- /dev/null
+++ b/modules/resources/docs/changelogs/v14.0-v14.1/layer-mobile.json
@@ -0,0 +1,54 @@
+{
+    "versions": {
+        "layer": "4.4",
+        "navigator": "4.8.0",
+        "attack": "14.1"
+    },
+    "name": "November 2023 Mobile Updates",
+    "description": "Mobile updates for the November 2023 release of ATT&CK",
+    "domain": "mobile-attack",
+    "techniques": [],
+    "sorting": 0,
+    "hideDisabled": false,
+    "legendItems": [
+        {
+            "color": "#a1d99b",
+            "label": "additions: ATT&CK objects which are only present in the new release."
+        },
+        {
+            "color": "#fcf3a2",
+            "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+        },
+        {
+            "color": "#c7c4e0",
+            "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+        },
+        {
+            "color": "#B5E5CF",
+            "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+        },
+        {
+            "color": "#B99095",
+            "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+        },
+        {
+            "color": "#ff9000",
+            "label": "revocations: ATT&CK objects which are revoked by a different object."
+        },
+        {
+            "color": "#ff6363",
+            "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+        },
+        {
+            "color": "#ff00e1",
+            "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+        },
+        {
+            "color": "#ffffff",
+            "label": "unchanged: ATT&CK objects which did not change between the two versions."
+        }
+    ],
+    "showTacticRowBackground": true,
+    "tacticRowBackground": "#205b8f",
+    "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/static_pages/updates-october-2023.md b/modules/resources/static_pages/updates-october-2023.md
index 39509afc7fd..2dca3ff9b07 100644
--- a/modules/resources/static_pages/updates-october-2023.md
+++ b/modules/resources/static_pages/updates-october-2023.md
@@ -8,7 +8,7 @@ save_as: resources/updates/updates-october-2023/index.html
 
 | Version | Start Date | End Date | Data | Changelogs |
 |:--------|:-----------|:---------|:-----|:-----------|
-| [ATT&CK v14](/versions/v14) | October 31, 2023 | Current version of ATT&CK | [v14.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.0) | 13.1 - 14.0 [Details](/docs/changelogs/v13.1-v14.0/changelog-detailed.html) ([JSON](/docs/changelogs/v13.1-v14.0/changelog.json)) |
+| [ATT&CK v14](/versions/v14) | October 31, 2023 | Current version of ATT&CK | [v14.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.0)<br />[v14.1 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v14.1) | 13.1 - 14.0 [Details](/docs/changelogs/v13.1-v14.0/changelog-detailed.html) ([JSON](/docs/changelogs/v13.1-v14.0/changelog.json))<br />14.0 - 14.1 [Details](/docs/changelogs/v14.0-v14.1/changelog-detailed.html) ([JSON](/docs/changelogs/v14.0-v14.1/changelog.json)) |
 
 The October 2023 (v14) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v14 are a large expansion of detection notes and analytics to Techniques in Enterprise, a minor scoping change to Enterprise resulting in coverage of [Financial Theft](/techniques/T1657) and [Voice](/techniques/T1566/004) [Phishing](/techniques/T1598/004), structured Detections in Mobile, and the (re-)addition of [Assets](/assets) to ICS. An [accompanying blog post](https://medium.com/mitre-attack/attack-v14-fa473603f86b
 ) describes these changes as well as improvements across ATT&CK's various domains and platforms.
@@ -520,6 +520,10 @@ This version of ATT&CK contains 760 Pieces of Software, 143 Groups, and 24 Campa
 
 * [2015 Ukraine Electric Power Attack](/campaigns/C0028) <small style="color:#929393">(v1.0)</small>
 
+#### Deprecations
+
+* [Oldsmar Treatment Plant Intrusion](/campaigns/C0009) <small style="color:#929393">(v1.0)</small>
+
 ## Assets
 
 ### ICS
diff --git a/pyproject.toml b/pyproject.toml
index 5fc78204d95..d17551852f6 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -6,7 +6,7 @@ profile = "black"
 
 [tool.towncrier]
     name = "ATT&CK website"
-    version = "4.0.6"
+    version = "4.0.7"
     filename = "CHANGELOG.md"
     issue_format = "[#{issue}](https://github.com/mitre-attack/attack-website/issues/{issue})"
     template = ".towncrier.template.md"
diff --git a/requirements.txt b/requirements.txt
index 014e58ac755..0936418c48b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,7 +4,7 @@ bleach==6.0.0
 colorama==0.4.6
 future==0.18.3
 loguru==0.6.0
-mitreattack-python==3.0.0
+mitreattack-python==3.0.1
 pelican==4.8.0
 pyScss==1.4.0
 python-dotenv==1.0.0