From 02810e763801a052ec8245182b8af5d3916d0f82 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Fri, 13 Dec 2024 13:01:12 +0100
Subject: [PATCH] add ttp for 3AM ransomware

---
 clusters/ransomware.json | 100 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 26fc4fd4..28f3f0b2 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -29061,8 +29061,108 @@
         ],
         "refs": [
           "https://www.ransomlook.io/group/3am"
+        ],
+        "ttp": [
+          "Create Account - T1136",
+          "Bypass User Account Control - T1548.002",
+          "Windows Service - T1543.003",
+          "Service Execution - T1569.002",
+          "Disable or Modify System Firewall Settings - T1562.004",
+          "Clear Windows Event Logs - T1070.001",
+          "Network Share Discovery - T1135",
+          "Group Policy Discovery - T1615",
+          "Remote System Discovery - T1018",
+          "Exfiltration Over Alternative Protocol - T1048",
+          "Inhibit System Recovery - T1490",
+          "Data Encrypted for Impact - T1486"
         ]
       },
+      "related": [
+        {
+          "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        }
+      ],
       "uuid": "1c8af0c6-7b20-5878-909d-6ac14429a9ed",
       "value": "3am"
     },