Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0045: menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

EnterpriseG0045GroupObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

menuPass is an ATT&CK group with a long reported history, broad sector targeting, and documented interest in Japanese organizations and managed IT service providers. The practical issue for leaders is third-party and identity risk: the related tooling includes credential dumpers, remote access tools, command-line utilities, Active Directory query tooling, and remote execution utilities, which are the kinds of capabilities that can turn one compromised endpoint or provider relationship into wider enterprise access.

Executive priority

Prioritize menuPass as a planning reference for resilience against targeted intrusion, especially if the organization operates in healthcare, defense, aerospace, finance, maritime, biotechnology, energy, government, manufacturing, mining, higher education, Japan-linked operations, or MSP-dependent environments named in the ATT&CK description. Executive questions should focus on whether privileged identity controls, MSP access governance, Windows endpoint visibility, and incident response playbooks can withstand credential theft, remote access malware, and legitimate admin-tool abuse. This object is also useful for audit and compliance evidence because it maps defensive investment to a documented adversary profile rather than generic malware risk.

Technical view

ATT&CK does not provide a detection section, platforms, or tactics for the group object itself, so SOC validation should be relationship-driven. The associated software set is heavily Windows-oriented and includes Mimikatz, pwdump, PoisonIvy, PlugX, PsExec, Net, cmd, ChChes, EvilGrab, RedLeaves, SNUGRIDE, certutil, PowerSploit, QuasarRAT, UPPERCUT, esentutl, AdFind, Ecipekac, P8RAT, SodaMaster, and FYAnti, plus cross-platform tooling such as Cobalt Strike and Impacket. Detection engineering should validate coverage for credential dumping, suspicious command-line activity, Active Directory enumeration, remote service execution, fileless or loader-style malware behavior, and outbound remote access/backdoor communications without assuming any single tool name will appear in telemetry.

Likely telemetry

  • Windows endpoint process creation and command-line logs for cmd, Net, PsExec, certutil, esentutl, PowerShell/PowerSploit-like activity, and AdFind-like directory queries
  • Authentication, privilege use, and lateral movement evidence from Windows security logs, domain controller logs, and remote administration events
  • Endpoint detections or memory/behavioral telemetry associated with credential dumping tools such as Mimikatz and pwdump
  • Network, DNS, proxy, and firewall logs showing unusual outbound connections or remote access tool/backdoor communications associated with RAT-style software
  • Email and endpoint telemetry around malicious Microsoft Office document execution, where applicable to EvilGrab-related spearphishing context

Detection direction

  • Do not rely only on static malware names; several related tools are legitimate utilities or public frameworks also used by administrators and testers.
  • Baseline administrative use of PsExec, Net, cmd, certutil, esentutl, AdFind, Impacket, and Cobalt Strike-like tooling so alerts can separate expected operations from unusual hosts, users, times, parent processes, or command arguments.
  • Correlate credential dumping indicators with subsequent authentication anomalies, remote execution, directory enumeration, and outbound communications to reduce false positives and improve incident confidence.
  • Validate domain controller and endpoint visibility for Active Directory reconnaissance because AdFind and native Windows utilities can leave limited evidence if command-line logging is weak.
  • Review detection gaps for fileless malware and loader behavior reflected by P8RAT, SodaMaster, Ecipekac, and FYAnti relationships; pure file-hash controls are unlikely to be sufficient.

Mitigation priorities

  • First strengthen identity controls: reduce standing privilege, enforce strong authentication for administrative and remote access paths, and monitor privileged credential use.
  • Harden Windows endpoints and servers against credential theft by limiting credential exposure, restricting local administrator use, and ensuring endpoint telemetry is retained for investigation.
  • Govern dual-use administrative tools with allowlisting, approved-use baselines, and alerting for unexpected execution of PsExec, Net, cmd, certutil, esentutl, AdFind, Impacket, and PowerShell-based frameworks.
  • Review MSP and third-party access paths, including least privilege, logging, segmentation, and incident notification expectations.
  • Improve egress monitoring and network segmentation to limit the value of RATs, backdoors, and post-exploitation frameworks if an endpoint is compromised.
Analyst notes and limits

The strongest defensive signal in this object comes from the combination of official targeting history and the software relationships. The group is associated in ATT&CK with multiple aliases, including APT10, Cicada, POTASSIUM, Stone Panda, Red Apollo, CVNX, HOGFISH, and BRONZE RIVERSIDE. ATT&CK states members are known to have acted in association with the Chinese MSS Tianjin State Security Bureau and Huaying Haitai Science and Technology Development Company; this take does not extend that statement beyond the supplied source text.

ATT&CK provides no official detection guidance, tactics, or platforms on the group object itself. Platform implications are inferred only from related software descriptions, many of which are Windows-focused. Local relevance depends on the organization’s sector, geography, MSP exposure, identity architecture, and actual telemetry coverage.

Official MITRE ATT&CK definition

menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

46 rows
Domain ID Name Relationship / procedure
Enterprise T1018 Remote System Discovery

menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network.CitationPWC Cloud Hopper Technical Annex April 2017CitationFireEye APT10 April 2017
Enterprise T1047 Windows Management Instrumentation

menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.CitationPWC Cloud Hopper Technical Annex April 2017CitationGithub AD-Pentest-ScriptCitationSymantec Cicada November 2020
Enterprise T1036 Masquerading

menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files.CitationFireEye APT10 Sept 2018
Enterprise T1070.004 File Deletion Sub-technique

A menuPass macro deletes files after it has decoded and decompressed them.CitationAccenture Hogfish April 2018CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1046 Network Service Discovery

menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1049 System Network Connections Discovery

menuPass has used net use to conduct connectivity checks to machines.CitationPWC Cloud Hopper April 2017
Enterprise T1560.001 Archive via Utility Sub-technique

menuPass has compressed files before exfiltration using TAR and RAR.CitationPWC Cloud Hopper April 2017CitationPWC Cloud Hopper Technical Annex April 2017CitationSymantec Cicada November 2020
Enterprise T1566.001 Spearphishing Attachment Sub-technique

menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.CitationPWC Cloud Hopper Technical Annex April 2017CitationFireEye APT10 April 2017CitationFireEye APT10 Sept 2018CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1105 Ingress Tool Transfer

menuPass has installed updates and new malware on victims.CitationPWC Cloud Hopper April 2017CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1588.002 Tool Sub-technique

menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1204.002 Malicious File Sub-technique

menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.CitationPWC Cloud Hopper Technical Annex April 2017CitationFireEye APT10 April 2017CitationAccenture Hogfish April 2018CitationFireEye APT10 Sept 2018CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1090.002 External Proxy Sub-technique

menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.CitationFireEye APT10 April 2017CitationFireEye APT10 Sept 2018
Enterprise T1078 Valid Accounts

menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.CitationPWC Cloud Hopper April 2017CitationSymantec Cicada November 2020CitationDistrict Court of NY APT10 Indictment December 2018CitationSecurelist APT10 March 2021
Enterprise T1016 System Network Configuration Discovery

menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1568.001 Fast Flux DNS Sub-technique

menuPass has used dynamic DNS service providers to host malicious domains.CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1036.003 Rename Legitimate Utilities Sub-technique

menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.CitationFireEye APT10 Sept 2018
Enterprise T1056.001 Keylogging Sub-technique

menuPass has used key loggers to steal usernames and passwords.CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1087.002 Domain Account Sub-technique

menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1003.003 NTDS Sub-technique

menuPass has used Ntdsutil to dump credentials.CitationSymantec Cicada November 2020
Enterprise T1218.004 InstallUtil Sub-technique

menuPass has used InstallUtil.exe to execute malicious software.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1106 Native API

menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.CitationSymantec Cicada November 2020
Enterprise T1003.002 Security Account Manager Sub-technique

menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.CitationPWC Cloud Hopper Technical Annex April 2017CitationGithub AD-Pentest-Script
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.CitationAccenture Hogfish April 2018CitationFireEye APT10 Sept 2018CitationSymantec Cicada November 2020
Enterprise T1199 Trusted Relationship

menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.CitationPWC Cloud Hopper Technical Annex April 2017CitationFireEye APT10 April 2017CitationSymantec Cicada November 2020CitationDOJ APT10 Dec 2018CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1190 Exploit Public-Facing Application

menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.CitationSecurelist APT10 March 2021
Enterprise T1074.002 Remote Data Staging Sub-technique

menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.CitationPWC Cloud Hopper April 2017CitationSymantec Cicada November 2020
Enterprise T1070.003 Clear Command History Sub-technique

menuPass has used Wevtutil to remove PowerShell execution logs.CitationSecurelist APT10 March 2021
Enterprise T1140 Deobfuscate/Decode Files or Information

menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.CitationAccenture Hogfish April 2018CitationFireEye APT10 Sept 2018
Enterprise T1553.002 Code Signing Sub-technique

menuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.CitationSecurelist APT10 March 2021
Enterprise T1053.005 Scheduled Task Sub-technique

menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1055.012 Process Hollowing Sub-technique

menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.CitationAccenture Hogfish April 2018
Enterprise T1074.001 Local Data Staging Sub-technique

menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.CitationPWC Cloud Hopper April 2017
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

menuPass has used RDP connections to move across the victim network.CitationPWC Cloud Hopper April 2017CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1039 Data from Network Shared Drive

menuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data.CitationPWC Cloud Hopper April 2017
Enterprise T1003.004 LSA Secrets Sub-technique

menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.CitationPWC Cloud Hopper Technical Annex April 2017CitationGithub AD-Pentest-Script
Enterprise T1083 File and Directory Discovery

menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.CitationSymantec Cicada November 2020
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

menuPass has been seen changing malicious files to appear legitimate.CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1560 Archive Collected Data

menuPass has encrypted files and information before exfiltration.CitationDOJ APT10 Dec 2018CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1059.003 Windows Command Shell Sub-technique

menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.CitationPWC Cloud Hopper April 2017CitationPWC Cloud Hopper Technical Annex April 2017CitationGithub AD-Pentest-ScriptCitationFireEye APT10 Sept 2018 menuPass has used malicious macros embedded inside Office documents to execute files.CitationAccenture Hogfish April 2018CitationFireEye APT10 Sept 2018
Enterprise T1005 Data from Local System

menuPass has collected various files from the compromised computers.CitationDOJ APT10 Dec 2018CitationSymantec Cicada November 2020
Enterprise T1059.001 PowerShell Sub-technique

menuPass uses PowerSploit to inject shellcode into PowerShell.CitationPWC Cloud Hopper Technical Annex April 2017CitationSymantec Cicada November 2020
Enterprise T1210 Exploitation of Remote Services

menuPass has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472).CitationSymantec Cicada November 2020
Enterprise T1021.004 SSH Sub-technique

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.CitationPWC Cloud Hopper April 2017
Enterprise T1119 Automated Collection

menuPass has used the Csvde tool to collect Active Directory files and data.CitationSymantec Cicada November 2020
Enterprise T1583.001 Domains Sub-technique

menuPass has registered malicious domains for use in intrusion campaigns.CitationDOJ APT10 Dec 2018CitationDistrict Court of NY APT10 Indictment December 2018
Enterprise T1574.001 DLL Sub-technique

menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.CitationPWC Cloud Hopper Technical Annex April 2017CitationFireEye APT10 Sept 2018CitationSymantec Cicada November 2020 menuPass has also used DLL search order hijacking.CitationPWC Cloud Hopper April 2017
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0160: certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

Windows
Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Tool Enterprise

S0194: PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1018: Remote System Discovery Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1036: Masquerading Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1046: Network Service Discovery Enterprise uses · Tool S0160: certutil Enterprise uses · Malware S0628: FYAnti Enterprise uses · Technique T1049: System Network Connections Discovery Enterprise uses · Malware S0275: UPPERCUT Enterprise uses · Malware S0159: SNUGRIDE Enterprise uses · Technique T1560.001: Archive via Utility Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Malware S0626: P8RAT Enterprise uses · Technique T1090.002: External Proxy Enterprise uses · Malware S0153: RedLeaves Enterprise uses · Technique T1078: Valid Accounts Enterprise uses · Malware S0627: SodaMaster Enterprise uses · Tool S0006: pwdump Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1568.001: Fast Flux DNS Enterprise uses · Tool S0002: Mimikatz Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
6295379e6c9b138f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 6295379e6c9b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    DOJ APT10 Dec 2018

    United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.

    Open source URL
  2. [2]
    District Court of NY APT10 Indictment December 2018

    US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.

    Open source URL
  3. [3]
    Palo Alto menuPass Feb 2017

    Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.

    Open source URL
  4. [4]
    Crowdstrike CrowdCast Oct 2013

    Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved November 17, 2024.

    Open source URL
  5. [5]
    FireEye Poison Ivy

    FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.

    Open source URL
  6. [6]
    PWC Cloud Hopper April 2017

    PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.

    Open source URL
  7. [7]
    FireEye APT10 April 2017

    FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.

    Open source URL
  8. [8]
    APT10

    (Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: DOJ APT10 Dec 2018)(Citation: Symantec Cicada November 2020)

  9. [9]
    Accenture Hogfish April 2018

    Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.

    Open source URL
  10. [10]
    BRONZE RIVERSIDE

    (Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

  11. [11]
    CVNX

    (Citation: PWC Cloud Hopper April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

  12. [12]
    Cicada

    (Citation: Symantec Cicada November 2020)

  13. [13]
    FireEye APT10 Sept 2018

    Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

    Open source URL
  14. [14]
    HOGFISH

    (Citation: Accenture Hogfish April 2018)

  15. [15]
    POTASSIUM

    (Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

  16. [16]
    Red Apollo

    (Citation: PWC Cloud Hopper April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

  17. [17]
    SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022

    Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.

    Open source URL
  18. [18]
    Stone Panda

    (Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)(Citation: Symantec Cicada November 2020)

  19. [19]
    Symantec Cicada November 2020

    Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.

    Open source URL
  20. [20]
    menuPass

    (Citation: Palo Alto menuPass Feb 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

  21. [21]
    mitre-attack G0045
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use