Update stix to correspond to MBC v2.3

USAGE.md

@@ -240,7 +240,7 @@ The [ATT&CK® Navigator](https://github.com/mitre-attack/attack-navigator) has d
 
 ```json
         {
-            "name": "MBC v2.2",
+            "name": "MBC v2.3",
             "domains": [
                 {
                     "name": "2.2 Release",

mbc/attack-pattern/attack-pattern--001ca78e-188e-4725-9f43-706d0f487837.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--001ca78e-188e-4725-9f43-706d0f487837",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.607265Z",
-            "modified": "2022-02-05T00:37:22.601096Z",
+            "modified": "2022-09-08T18:26:13.230081Z",
             "name": "Send Data",
             "description": "Send data to a controller.",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md",
                     "external_id": "B0030.001"
                 }
             ],

mbc/attack-pattern/attack-pattern--006afc45-b6df-4e75-8102-b38ccb09db58.json

@@ -28,7 +28,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/persistence/component-firmware.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/persistence/component-firmware.md",
                     "external_id": "F0009.001"
                 }
             ],

mbc/attack-pattern/attack-pattern--010c8801-3ad4-479b-8c56-c29e108121c9.json

@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/wininet.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/wininet.md",
                     "external_id": "C0005.002"
                 }
             ],

mbc/attack-pattern/attack-pattern--013fce9b-0645-41a4-b6ec-03a70b319715.json

@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/file-system/create-file.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/file-system/create-file.md",
                     "external_id": "C0016.001"
                 }
             ],

mbc/attack-pattern/attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--023243fb-9971-4e64-9bca-5976fa84f08f",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.828261Z",
-            "modified": "2022-02-05T00:37:22.741756Z",
+            "modified": "2022-09-08T18:26:13.361213Z",
             "name": "Request::SMTP Communication",
             "description": "Makes SMTP request.",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/smtp-comm.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/smtp-communication.md",
                     "external_id": "C0012.002"
                 }
             ],

mbc/attack-pattern/attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--02b99b72-6baa-4329-9a48-1ce8aae4383a",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.486264Z",
-            "modified": "2022-02-05T00:37:22.507385Z",
+            "modified": "2022-09-08T18:26:13.299473Z",
             "name": "Timing/Uptime Check",
             "description": "Comparing single GetTickCount with some value to see if system has been started at least *X* amount ago. This behavior can be mitigated in non-automated analysis environments.",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md",
                     "external_id": "B0007.009"
                 }
             ],

mbc/attack-pattern/attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--02f5dda2-da92-4e5b-88bb-67e9e542c444",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2022-02-04T23:52:35.67367Z",
-            "modified": "2022-02-05T00:37:22.491757Z",
+            "modified": "2022-09-08T18:26:13.318985Z",
             "name": "RtlAdjustPrivilege",
             "description": "Malware may call RtlAdjustPrivilege to detect if a debugger is attached (or to prevent a debugger from attaching).",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md",
                     "external_id": "B0001.022"
                 }
             ],

mbc/attack-pattern/attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436.json

@@ -8,10 +8,22 @@
             "id": "attack-pattern--03996e71-dfa7-4585-8a42-da7f95c50436",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2022-02-04T23:52:35.829949Z",
-            "modified": "2022-02-05T00:37:22.632387Z",
+            "modified": "2022-09-08T18:26:13.420199Z",
             "name": "Shadow System Service Dispatch Table Hooking",
             "description": "The Shadow System Service Dispatch Table (SSDT) can be hooked similarly to how the SSDT and IAT are hooked. The target of the hooking with the Shadow SSDT is the Windows subsystem (win32k.sys).",
             "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mbc",
+                    "phase_name": "anti-behavioral-analysis"
+                },
+                {
+                    "kill_chain_name": "mitre-mbc",
+                    "phase_name": "collection"
+                },
+                {
+                    "kill_chain_name": "mitre-mbc",
+                    "phase_name": "credential-access"
+                },
                 {
                     "kill_chain_name": "mitre-mbc",
                     "phase_name": "defense-evasion"
@@ -28,7 +40,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/hijack-execution-flow.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/hijack-execution-flow.md",
                     "external_id": "F0015.004"
                 },
                 {

mbc/attack-pattern/attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--03d1844f-241a-4ed9-858f-47e5e6543746",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.458263Z",
-            "modified": "2022-02-05T00:37:22.491757Z",
+            "modified": "2022-09-08T18:26:13.311826Z",
             "name": "API Hook Detection",
             "description": "Module bounds based .",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md",
                     "external_id": "B0001.001"
                 },
                 {

mbc/attack-pattern/attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--0469984a-07e7-4160-ba64-f1abf02346bb",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.484262Z",
-            "modified": "2022-02-05T00:37:22.507385Z",
+            "modified": "2022-09-08T18:26:13.297643Z",
             "name": "Product Key/ID Testing",
             "description": "Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-sandbox.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/sandbox-detection.md",
                     "external_id": "B0007.005"
                 }
             ],

mbc/attack-pattern/attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--048440e7-8adb-4a71-9ee3-922ca4040b1f",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2021-02-10T06:49:31.936476Z",
-            "modified": "2022-02-05T00:37:22.663601Z",
+            "modified": "2022-09-08T18:26:13.211623Z",
             "name": "Application Window Discovery",
             "description": "Malware may attempt to get a listing of open application windows.",
             "kill_chain_phases": [
@@ -20,13 +20,8 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/discovery/app-window-discover.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/discovery/application-window-discovery.md",
                     "external_id": "E1010"
-                },
-                {
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/techniques/T1010/",
-                    "external_id": "T1010"
                 }
             ],
             "object_marking_refs": [

mbc/attack-pattern/attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--04da331b-6112-420c-9358-58cb21e5a4af",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.556264Z",
-            "modified": "2022-02-05T00:37:22.569857Z",
+            "modified": "2022-09-08T18:26:13.192025Z",
             "name": "Fake Code Insertion",
             "description": "Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers.",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-static-analysis/exe-code-obfuscate.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-static-analysis/executable-code-obfuscation.md",
                     "external_id": "B0032.004"
                 }
             ],

mbc/attack-pattern/attack-pattern--04e25839-3207-4600-8972-618aa7cf44af.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--04e25839-3207-4600-8972-618aa7cf44af",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.606261Z",
-            "modified": "2022-02-05T00:37:22.601096Z",
+            "modified": "2022-09-08T18:26:13.229515Z",
             "name": "Request Email Address List",
             "description": "Request email address list.",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/command-and-control/command-control-comm.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/command-and-control/c2-communication.md",
                     "external_id": "B0030.010"
                 }
             ],

mbc/attack-pattern/attack-pattern--5e4e232e-e441-4223-8b73-f160e9957a52.json → mbc/attack-pattern/attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54.json

@@ -1,16 +1,16 @@
 {
     "type": "bundle",
-    "id": "bundle--9d5634d2-e793-40f9-b580-2c20ad40cdd0",
+    "id": "bundle--263116e2-4652-40f9-9e52-30f4ba9fdaa7",
     "objects": [
         {
             "type": "attack-pattern",
             "spec_version": "2.1",
-            "id": "attack-pattern--5e4e232e-e441-4223-8b73-f160e9957a52",
+            "id": "attack-pattern--05f154ce-4547-45cf-a664-ca231fdcff54",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
-            "created": "2020-08-21T20:49:59.648262Z",
-            "modified": "2022-02-05T00:37:22.616726Z",
+            "created": "2022-09-08T18:26:13.423869Z",
+            "modified": "2022-09-08T18:26:13.423869Z",
             "name": "Install Insecure or Malicious Configuration",
-            "description": "Malware may install malicious configuration settings or may modify existing configuration settings. This MBC behavior extends the related ATT&CK technique to all platforms and to the Persistence objective.",
+            "description": "Malware may install malicious configuration settings or may modify existing configuration settings. For example, malware may change configuration settings associated with security mechanisms to make it difficult to detect or change configuration settings to maintain a foothold on the network.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mbc",
@@ -24,13 +24,12 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/defense-evasion/config-mod.md",
-                    "external_id": "E1478"
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/defense-evasion/install-insecure-or-malicious-configuration.md",
+                    "external_id": "B0047"
                 },
                 {
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/techniques/T1478",
-                    "external_id": "T1478"
+                    "source_name": "external_source",
+                    "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"
                 }
             ],
             "object_marking_refs": [

mbc/attack-pattern/attack-pattern--063274b5-04c4-4987-98d6-850c2598b601.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--063274b5-04c4-4987-98d6-850c2598b601",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.805261Z",
-            "modified": "2022-02-05T00:37:22.726134Z",
+            "modified": "2022-09-08T18:26:13.379149Z",
             "name": "Resolve Free Hosting Domain::DNS Communication",
             "description": "Resolves a free hosting domain (e.g., freeiz.com).",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/communication/dns-comm.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/communication/dns-communication.md",
                     "external_id": "C0011.005"
                 }
             ],

mbc/attack-pattern/attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--068a3a77-caf2-4951-9e38-97ad68c792d6",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.510265Z",
-            "modified": "2022-02-05T00:37:22.538637Z",
+            "modified": "2022-09-08T18:26:13.304109Z",
             "name": "Code Integrity Check",
             "description": "Check that the unpacking code is unmodified. Variation exists where unpacking code is part of the \"key\" used to unpack, therefore any Software Breakpoints during debugging causes unpacking to completely fail or result in malformed unpacked code.",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/evade-debugger.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-evasion.md",
                     "external_id": "B0002.005"
                 }
             ],

mbc/attack-pattern/attack-pattern--06c3d5c7-d4bf-4b28-8385-e169ba81e744.json

@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/lateral-movement/supply-chain-compromise.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/lateral-movement/supply-chain-compromise.md",
                     "external_id": "E1195.m02"
                 }
             ],

mbc/attack-pattern/attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400.json

@@ -8,7 +8,7 @@
             "id": "attack-pattern--07181568-3663-4ade-ac99-3e32bd7d5400",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2020-08-21T20:49:59.468265Z",
-            "modified": "2022-02-05T00:37:22.491757Z",
+            "modified": "2022-09-08T18:26:13.317662Z",
             "name": "Process Environment Block BeingDebugged",
             "description": "The BeingDebugged field is tested to determine whether the process is being debugged.",
             "kill_chain_phases": [
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/anti-behavioral-analysis/detect-debugger.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/debugger-detection.md",
                     "external_id": "B0001.035"
                 }
             ],

mbc/attack-pattern/attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0.json

@@ -8,9 +8,9 @@
             "id": "attack-pattern--0741d3d3-4027-430d-a574-5bc06d62a9c0",
             "created_by_ref": "identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf",
             "created": "2022-02-04T23:52:36.03097Z",
-            "modified": "2022-02-05T00:37:22.773011Z",
+            "modified": "2022-09-08T18:26:13.383336Z",
             "name": "Hashed Message Authentication Code",
-            "description": "Malware uses an HMAC schema.",
+            "description": "Malware uses a hashed message authentication code (HMAC) schema.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mbc",
@@ -20,7 +20,7 @@
             "external_references": [
                 {
                     "source_name": "mitre-mbc",
-                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.2/micro-behaviors/cryptography/hmac.md",
+                    "url": "https://github.com/MBCProject/mbc-markdown/blob/v2.3/micro-behaviors/cryptography/hashed-message-authentication-code.md",
                     "external_id": "C0061"
                 }
             ],