stmtstk
commented
2 years ago Sorry. I noticed that these two objects have a different modified timestamp. I will close the issue.
Closed stmtstk closed 2 years ago
stmtstk
commented
2 years ago Sorry. I noticed that these two objects have a different modified timestamp. I will close the issue.
stmtstk
commented
2 years ago I have another example in ics-attack.json.
The first one is ...
{
"type": "relationship",
"id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18T17:59:24.739Z",
"modified": "2022-04-21T22:02:04.224603Z",
"relationship_type": "uses",
"description": "[Triton](https://attack.mitre.org/software/S0013) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
"external_references": [
{
"source_name": "Jos Wetzels January 2018",
"description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ",
"url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},The second one is..
{
"type": "relationship",
"id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18T17:59:24.739Z",
"modified": "2022-04-21T22:02:04.224603Z",
"relationship_type": "uses",
"description": "[Triton](https://attack.mitre.org/software/S0013) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)",
"source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
"target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3",
"external_references": [
{
"source_name": "MDudek-ICS",
"description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ",
"url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
},The two objects have the same ID (relationship--1f8abf6f-0dd0-4449-b555-733fe7296177) and the same modified timestamp (2022-04-21T22:02:04.224603Z). The two objects have the different target property.
According the URL below, the second one seems to be correct. https://github.com/mitre/cti/blob/master/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json
jondricek
commented
2 years ago Thanks for reporting this to us! There were a number of inconsistencies in the ICS ATT&CK bundle in the v11 release. We just released v11.1 yesterday and these duplicate Relationships have been addressed in that release. Let us know if you find anything else. Thanks!
Hi All,
I found there are two objects which have the same object ID and modified timestamp in ics-attack.json.
https://github.com/mitre/cti/blob/master/ics-attack/ics-attack.json
The first one is
The second one is ...
The difference is
target_ref.According to the link below,
https://github.com/mitre/cti/blob/master/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json
The second one seems to be correct.
The same ID and same modified timestamp should not be used.
I would like to strongly recommend a duplicate check.