{
  "meta": {
    "slug": "cwe-mitre-attack",
    "frameworks": [
      "CWE",
      "MITRE_ATTACK"
    ],
    "labels": [
      "CWE",
      "MITRE ATT&CK"
    ],
    "authoritative": "MITRE CWE\u2192CAPEC\u2192ATT&CK bridge",
    "generated": "10 June 2026"
  },
  "metrics": {
    "pair": {
      "a": "CWE",
      "b": "MITRE_ATTACK"
    },
    "counts": {
      "pairs": 359,
      "rows": 718,
      "present_a_to_b": 295,
      "present_b_to_a": 278
    },
    "reliability": {
      "reverse_presence_pct": 81.7,
      "extent_rank_correlation": 0.398,
      "completeness_a_to_b_pct": 50.2,
      "completeness_b_to_a_pct": 8.6,
      "none_rate_a_to_b_pct": 17.8,
      "none_rate_b_to_a_pct": 22.6,
      "counterpart_coverage_a": {
        "mapped": 110,
        "universe": null,
        "pct": null
      },
      "counterpart_coverage_b": {
        "mapped": 151,
        "universe": null,
        "pct": null
      }
    },
    "abstraction": {
      "breadth_a_to_b": 3.14,
      "breadth_b_to_a": 1.94,
      "depth_a_to_b": 1.53,
      "depth_b_to_a": 1.1,
      "verdict": "CWE sits at a higher level of abstraction (fans out more)",
      "intrinsic_a": {
        "signal": "cwe_abstraction",
        "distribution": {
          "Base": 66,
          "Class": 30,
          "Variant": 9,
          "Pillar": 4,
          "Compound": 1
        }
      },
      "intrinsic_b": null
    },
    "diff": {
      "authoritative_pairs": 567,
      "agreement": 332,
      "conflict": 235,
      "addition": 0,
      "examples": {
        "conflict": [
          [
            "CWE-1021",
            "T1036.004"
          ],
          [
            "CWE-1021",
            "T1548.004"
          ],
          [
            "CWE-113",
            "T1539"
          ],
          [
            "CWE-114",
            "T1574.013"
          ],
          [
            "CWE-117",
            "T1562.002"
          ],
          [
            "CWE-117",
            "T1562.003"
          ],
          [
            "CWE-117",
            "T1562.008"
          ],
          [
            "CWE-1188",
            "T1211"
          ]
        ],
        "addition": []
      }
    },
    "ppt": null
  },
  "diff": {
    "authoritative_pairs": 567,
    "agreement": 332,
    "conflict": 235,
    "addition": 0,
    "examples": {
      "conflict": [
        [
          "CWE-1021",
          "T1036.004"
        ],
        [
          "CWE-1021",
          "T1548.004"
        ],
        [
          "CWE-113",
          "T1539"
        ],
        [
          "CWE-114",
          "T1574.013"
        ],
        [
          "CWE-117",
          "T1562.002"
        ],
        [
          "CWE-117",
          "T1562.003"
        ],
        [
          "CWE-117",
          "T1562.008"
        ],
        [
          "CWE-1188",
          "T1211"
        ]
      ],
      "addition": []
    }
  },
  "edges": [
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1056",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 enables one clickjacking-based slice of T1056 (so partial) while T1056 only covers that narrow framing manifestation of the broad UI-restriction weakness (also partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-114",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1505.005",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-114 is the primary enabler for the malicious-DLL loading step in T1505.005, yet the technique only exercises one narrow registry-based manifestation of the broad process-control weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-114",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.006",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-114 enables T1574.006 mostly by directly permitting untrusted library loads via linker env vars, while T1574.006 exploits CWE-114 only partially as one narrow vector among many process-control flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-114",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1620",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-114's lack of control over loaded code directly enables in-memory reflective payloads (mostly), while T1620 only covers the narrow reflective/in-memory slice of that broad weakness surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-117",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1070",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-117 enables log forgery that can aid T1070 but T1070 succeeds via many other means; T1070 only touches the narrow log-injection slice of CWE-117's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1188",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1542.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Insecure defaults can ease initial access to flash firmware but T1542.002 relies on sophisticated component compromise and does not target the broad default-initialization surface of CWE-1188."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1188",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1556",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Insecure defaults can ease initial access needed for auth modification but are not required; T1556 targets runtime mechanisms rather than initialization surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.010",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1220's overly-broad access controls are the primary reason service binaries can be overwritten, enabling T1574.010, yet the technique only touches the narrow file-permission slice of that weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1258",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1258 can leave sensitive values in accessible memory/files that T1005 might incidentally read (partial enablement), but T1005 performs generic local collection and never targets debug-mode uncleared state (no exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1268",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.010",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1268 concerns inconsistent hardware-enforced control vs. data policies while T1574.010 targets OS file ACL weaknesses on service binaries, so neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1269",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1195",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1269 does not create any path for T1195 to succeed, while T1195 can deliberately deliver a non-release image as one narrow slice of its supply-chain surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1270",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect token generation can facilitate successful manipulation outcomes but is not required for T1134, which instead targets post-generation token APIs and does not address generation flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1272",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1272 can leave creds in memory post-transition (enabling a subset of dumps) while T1003 broadly targets many OS caches/structures beyond this narrow transition surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1272",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1272 can leave extra sensitive data in memory/files that T1005 may later collect, but T1005 succeeds via many other sources; T1005 only touches one narrow slice of the CWE's state-transition surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1301",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1301 primarily enables T1005 by leaving sensitive hardware remnants available for collection, while T1005 only narrowly exploits the weakness as one of many local data sources."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1322",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.004",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1322 produces hangs rather than crashes so does not enable T1499.004's exploitation path; T1499.004 can touch the blocking surface as one narrow DoS vector among many crash-based weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1323",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1323 supplies one unprotected local data source that T1005 can read, yet T1005 succeeds on many other sources and does not specifically target trace data."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1323",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1119",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1323 supplies one extra unprotected data source that T1119 scripts could harvest, yet T1119 succeeds fully via other collection vectors; conversely T1119 can touch the trace-data exposure but only as one narrow slice of its broad automated-collection surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1325",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1325 directly enables memory exhaustion via unbounded allocations (mostly), while T1499.003 can target many resource types beyond this specific sequential-memory flaw (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1326",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1553.002",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-1326 enables unsigned/adversarial boot code via absent hardware RoT, while T1553.002 concerns acquisition of valid signing certificates for user-mode binaries; the two touch only indirectly via secure-boot signature checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1112",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "T1112 succeeds via admin privileges or malware without needing external config control, while registry modification only covers one narrow slice of CWE-15's broad configuration surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1547.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables T1547.001 only partially because registry writes can succeed via direct privileges without external config exposure; T1547.001 exploits CWE-15 only partially because run keys are one narrow slice of the broad configuration surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1547.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 mostly enables T1547.004 by permitting external registry changes to Winlogon keys, while the technique exploits only one narrow slice of the broad CWE-15 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1547.014",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 is the direct means to alter the HKLM Active Setup key (primary enabler), while T1547.014 touches only that single registry manifestation of the broad configuration-control surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.006",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables T1574.006 mostly by permitting external setting of LD_PRELOAD-style variables, while the technique exploits only the narrow env-var slice of CWE-15's broad configuration surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.007",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables T1574.007 mostly because external PATH control is the primary vector for the described interception, while the technique exploits only the narrow PATH slice of CWE-15's broad config surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1647",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 is the primary enabler for unauthorized plist modification, yet T1647 only targets one narrow slice of the broad configuration-control surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1027",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Encoding flaws can let certain encoded obfuscations evade handling (partial enablement) while T1027 only uses encoding among many obfuscation methods and thus covers only a slice of CWE-172's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1027",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables only the encoding slice of T1027 (other obfuscation methods work without it), while T1027 uses encoding among many techniques and therefore covers only part of the CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1027",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 can let certain encoded/obfuscated inputs bypass filters (partial enablement) but T1027 succeeds via many other mechanisms and does not target the validate-before-canonicalize surface at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1027",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 does not enable T1027 (obfuscation succeeds without any input-validation flaw) and T1027 does not target the CWE-20 surface (it evades detection, not input handling)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1036.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables T1036.001 only partially (user deception works without it) while T1036.001 exploits only one narrow slice of CWE-20's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.007",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 plays no role in enabling PATH hijacking (which relies on search order and directory permissions) and T1574.007 does not target any input-validation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1007",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1007 uses legitimate OS utilities rather than exploiting an information-exposure weakness; the technique can incidentally surface service metadata that falls under CWE-200 but covers only a tiny slice of that weakness's many disclosure vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1016",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1016 (standard OS commands succeed regardless), while T1016 only touches one narrow slice of sensitive data covered by CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1018",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1018 is active OS-command discovery; CWE-200 exposure is neither required nor the primary enabler."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1033",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables T1033 only partially since user discovery can succeed via other vectors such as credential dumping; conversely T1033 exploits only a narrow slice of the broad CWE-200 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1046",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1046 (discovery succeeds via active probing alone) while T1046 only partially exploits CWE-200 by incidentally surfacing service metadata that may be sensitive."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1049",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1049 (discovery succeeds via normal OS queries regardless), while T1049 exploits only one narrow slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1057",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is not required for T1057 (authorized queries or other CWEs suffice), while T1057 only touches the narrow process-info slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1069",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 can leak permission data that aids T1069 but is unnecessary since T1069 succeeds via queries, tools, or other channels; conversely T1069 only touches the narrow permission slice of CWE-200's broad sensitive-information surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1082",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables T1082 only partially because system discovery can occur via authorized commands or other flaws; T1082 exploits CWE-200 only partially because it targets one narrow slice (OS details) of the broad sensitive-information exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1083",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1083 (discovery proceeds via OS utilities regardless of prior exposure), while T1083 exploits only a narrow slice of CWE-200's broad information-exposure surface via file enumeration."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1087",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 mostly enables T1087 by leaking account names/roles that directly aid enumeration, though other discovery methods exist; T1087 exploits only the account-listing slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1111",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1111 (interception works via keyloggers or direct targeting regardless of prior exposure), while T1111 only touches one narrow slice of the broad sensitive-information exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1120",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1120 is active enumeration via OS APIs rather than passive exposure of sensitive data, so CWE-200 neither enables nor is canonically exercised by this technique."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1124",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1124 uses normal OS queries rather than any exposure weakness, while system time is only one narrow case of the broad CWE-200 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 mostly enables token theft by surfacing credentials an adversary can duplicate, while T1134.001 only covers the narrow token-duplication slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1135",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1135 (discovery succeeds via protocol enumeration regardless of sensitive-data exposure), while T1135 only touches one narrow slice of the broad CWE-200 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1217",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 may furnish some accessible browser data but is not required for local enumeration, while T1217 only touches the browser-info slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables cookie theft for T1550.004 but is not required (other theft vectors exist); T1550.004 uses only the narrow session-cookie slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1590",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables T1590 only partially (recon succeeds via scanning without exposure); T1590 exploits CWE-200 only partially (network exposure is one narrow slice of its broad recon surface)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1592",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables T1592 only partially because host data can still be gathered via active scanning without any exposure; T1592 exploits CWE-200 only partially because it targets one narrow slice (host configuration) of the broad sensitive-information surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1595",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Active scanning gathers many infrastructure details without needing sensitive-info exposure, while the technique only touches one narrow slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1615",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 mostly enables T1615 by allowing unauthorized access to GPO files in SYSVOL; T1615 exploits only the narrow GPO slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-204",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1592.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-204 enables T1592.002 only partially (banners and port data suffice without discrepancies); T1592.002 exploits CWE-204 only partially (technique focuses on explicit disclosures, hitting discrepancy surface narrowly)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-205",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1082",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-205 can leak limited system details via side behaviors but is not required for T1082's direct queries; T1082 only touches one narrow slice of the broad discrepancy surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-205",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1592.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-205 enables T1592.002 only partially because software fingerprinting succeeds via banners/ports without behavioral discrepancies; T1592.002 exploits CWE-205 only partially as it covers one narrow reconnaissance slice among many possible weakness manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-208",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1592.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-208 timing leaks do not enable software-version reconnaissance, and T1592.002 banner/port collection does not target timing surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-226",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-226 enables T1005 partially (lingering data in reused memory aids collection but T1005 succeeds via files/configs too); T1005 exploits CWE-226 partially (covers process memory but only one slice of the broad reuse surface)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-226",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.004",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-226 concerns uncleared reuse of transient resources (e.g., memory) while T1552.004 only reads static key files from disk directories, so neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password aging has no bearing on obtaining or using valid accounts over remote services, so neither direction applies."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging aids long-term credential persistence but is not required for T1078 to succeed via other means; T1078 only touches the aging-related slice of the weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078.001",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-262 does not create or enable default-account abuse paths, while T1078.001 only touches the aging surface in the narrow case of never-rotated factory passwords."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Absence of aging lengthens the window for successful guesses but is not required for the technique, which instead targets weak/no lockout policies and does not exercise any aging-related surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "No password aging lets sprayed credentials remain valid longer (partial enablement) but spraying targets common passwords/lockout gaps, not aging surfaces at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Absence of password aging keeps old credentials valid longer and thus partially enables stuffing, yet stuffing itself targets cross-site reuse rather than the aging surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1133",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging aids long-term credential validity for T1133 persistence but is not required for the technique; T1133 can leverage remote-service credential surfaces that include (but are not limited to) non-aging passwords."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password aging controls long-term credential lifetime and has no bearing on Kerberos ticket acquisition or forgery paths; T1558 therefore neither depends on nor exercises the absence of aging mechanisms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging lets service-account passwords remain static and thus easier to crack offline, but Kerberoasting succeeds against any weak hash regardless; conversely the technique only touches the static-password slice of the aging weakness via TGS tickets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration keeps stolen creds valid longer for T1021 use, yet T1021 neither requires nor targets password aging and can succeed with fresh credentials."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-263 lengthens credential lifetime but supplies neither accounts nor share access, while T1021.002 simply re-uses already-valid credentials and never touches expiration policy."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration enables persistence via stolen creds but is not required for T1078 to succeed; T1078 abuses valid accounts without specifically targeting or covering the expiration-policy surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration allows already-known default credentials to remain usable for extended periods (partial enablement) but T1078.001 targets the existence of default creds themselves, not the aging surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration lets a guessed password remain usable longer (partial enablement) but guessing itself never interacts with or targets the aging policy (no exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration does not enable cracking itself (technique succeeds regardless) but can prolong cracked-credential utility; cracking targets hashes, not the aging policy surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.003",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration does not create or widen any path for password spraying, and spraying never targets or depends on the aging interval."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1114.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long password expiration neither enables remote mailbox access (which requires valid credentials regardless of age) nor is exploited by email-collection tooling that simply uses whatever credentials it obtains."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1133",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration weakly aids persistence after T1133 succeeds but is neither required nor specifically targeted by the technique."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration keeps service-account passwords static long enough for offline cracking to remain useful (partial enablement), while Kerberoasting only targets the resulting long-lived weak passwords rather than the policy surface itself (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1115",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-267 does not enable T1115 (clipboard access is a standard user-context OS feature, not a privilege-definition flaw) and T1115 does not exploit CWE-267 (it uses normal APIs rather than any unsafe privilege surface)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1123",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-267 can enable audio capture when an over-privileged API is misused, but T1123 succeeds via many other routes; conversely T1123 only touches one narrow unsafe action among the broad surface of CWE-267."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1125",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-267 enables T1125 only partially (video capture can occur via direct API access or other weaknesses); T1125 exploits CWE-267 only partially (video capture is one narrow unsafe action among many possible privilege misuses)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1548",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-269 is the primary root cause enabling T1548 abuse of elevation mechanisms, yet T1548 only covers the elevation-control slice of CWE-269's broad privilege surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-272",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-272 partially enables elevated execution of a replaced installer binary but is not required for the file-permission overwrite itself; T1574.005 targets directory/binary ACLs and does not rely on the privilege-dropping flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-272",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.010",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-272 concerns failure to drop elevated privileges after privileged ops, while T1574.010 succeeds solely via weak filesystem ACLs on service binaries and does not rely on or target that privilege-management surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-276",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.010",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-276's default permission flaw is the primary enabler for T1574.010's service-binary replacement, yet the technique only targets one narrow slice of the broad default-permission surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-282",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-282 can indirectly contribute to permissive file conditions that enable T1574.005 but is neither required nor the primary cause; T1574.005 targets permission misconfigurations on installer binaries and does not exercise ownership verification surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-282",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.010",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper ownership can contribute to unauthorized binary replacement but is neither necessary nor the primary enabler of the described permission flaw; the technique targets a narrow permissions slice that only incidentally touches ownership management."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1014",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper access control can enable rootkit deployment by permitting unauthorized low-level hooks but is not required (other CWEs suffice); rootkits in turn only touch the narrow stealth/hiding slice of the broad AC surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1037",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is the primary enabler for adversaries to modify boot/logon scripts, but the technique only targets the narrow slice of access configurations around initialization scripts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1080",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1080 by allowing unauthorized writes to shared storage, while T1080 only exploits one narrow slice of the broad CWE-284 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1505.005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables T1505.005 only partially (adversary still needs a write primitive or prior foothold), while T1505.005 exploits only a narrow slice of the broad CWE-284 surface (DLL path or service registration permissions)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1542.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper access control can indirectly help an attacker obtain the privileges needed to write a boot sector but is neither necessary nor the primary enabler; a bootkit does not target or rely on access-control surfaces at all, operating below the OS."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1543",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is the primary enabler for unauthorized system-process creation, yet T1543 only touches the narrow slice of that weakness surface dealing with OS services/daemons."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1543.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1543.001 by allowing unauthorized writes to LaunchAgent plists; T1543.001 exploits only one narrow slice of the broad access-control surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1543.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1543.003 by permitting unauthorized service creation/modification; T1543.003 exploits only the narrow service-registry slice of CWE-284's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1543.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is the primary enabler for unauthorized writes to LaunchDaemon plists, while T1543.004 only touches one narrow slice of the broad access-control surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1546.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1546.001 by permitting unauthorized Registry writes that the technique requires; T1546.001 exploits only the narrow Registry-key slice of CWE-284's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1546.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1546.004 by allowing unauthorized writes to shell config files; T1546.004 exploits only the file-write slice of CWE-284's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1546.008",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1546.008 by allowing unauthorized modification of accessibility binaries/registry; T1546.008 exploits only one narrow slice of CWE-284's broad access-control surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1546.016",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is the primary enabler for an adversary to introduce or abuse malicious installer packages/scripts, while the technique only touches one narrow slice of the broad CWE-284 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1547",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 can enable T1547 by permitting unauthorized autostart config changes, yet many other weaknesses suffice; T1547 only touches one narrow slice of CWE-284's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1547.006",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1547.006 by allowing unauthorized kernel-module loading; T1547.006 exploits only the narrow module-loading slice of that broad weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1553.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1553.004 by allowing unauthorized root-cert installation on a system; T1553.004 exploits only one narrow slice of the broad CWE-284 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1556.006",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is the primary enabler for unauthorized MFA modification, yet the technique only targets one narrow slice of that broad weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.011",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is the root cause enabling T1574.011 by allowing unauthorized registry modification, while the technique only targets one narrow permissions surface among many possible access-control flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 can aid unauthorized file access but is unnecessary for T1005 (which assumes prior access), and T1005 performs generic collection without targeting authorization checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1012",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "T1012 succeeds on any Windows system via normal reg utilities regardless of authorization checks, while registry queries represent only one narrow slice of CWE-285's broad authorization surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1083",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization can permit unauthorized file access but is not required for T1083 (which works via legitimate or other means); T1083 does not target authorization surfaces at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134.001",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Token impersonation succeeds against correct authorization by abusing valid tokens; it only covers one narrow slice of CWE-285's broad authorization surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 does not enable cookie theft/use (technique works with proper auth on a valid session) and T1550.004 targets session validity/MFA bypass rather than authorization checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization does not create or expose Registry credential storage, and Registry searches for creds do not rely on or target authorization-check failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.005",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization is the primary enabler of the file-permission hijack (without it the overwrite fails), yet the technique only touches one narrow slice of CWE-285's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.006",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization can partially enable the technique by allowing an adversary to set LD_PRELOAD-style variables for a target process, but the attack primarily exploits dynamic-linker behavior rather than any authorization check surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.010",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization is the root condition that permits binary replacement, yet T1574.010 only targets one narrow slice (service-binary file ACLs) of that broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1040",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 is not required for T1040 to capture credentials in transit, and T1040 targets transmission exposure rather than authentication verification flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Token manipulation abuses OS-level identity context after initial access and is unrelated to a product failing to verify claimed identities (CWE-287)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1185",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 may indirectly facilitate session use after hijack but T1185 succeeds via stolen tokens regardless of initial auth strength and targets session handling, not auth verification."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1505.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper auth can facilitate web-shell upload but is unnecessary (other weaknesses suffice), while web-shell usage never targets or covers the auth weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1548",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper auth can aid initial access but is not required for T1548 to abuse elevation controls on an already-authenticated session; conversely T1548 targets elevation mechanisms rather than authentication surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Token theft/use succeeds against correct token auth (no weakness needed), while the technique only touches the token-validation slice of CWE-287's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables T1557 only partially because T1557 can still achieve network positioning/sniffing/manipulation without any auth flaw; T1557 exploits CWE-287 only partially because it targets narrow protocol-level manifestations rather than the full authentication surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1211",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-288 directly supplies an unmonitored channel that T1211 can abuse for stealth, yet T1211 exploits many unrelated weaknesses beyond auth bypass."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1542.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-288 could furnish an unauthenticated channel to a firmware-update function (partial enablement) but T1542.002 does not target or rely on any such pre-existing weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1556",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-288 is a static design flaw (existing alternate unauthenticated channel) unrelated to the active modification of auth mechanisms that defines T1556."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1036.001",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 is unrelated to code-signature validation so does not enable T1036.001, while the technique only touches one narrow spoofing vector within the broader authentication-bypass surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1134 relies on legitimate token APIs rather than spoofing flaws in auth schemes, while token impersonation only touches one narrow slice of CWE-290's broader spoofing surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134.001",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Token impersonation relies on OS token handling rather than spoofing-based auth bypass, while the technique represents only one non-canonical exploitation path among many spoofing variants covered by CWE-290."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1528",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 enables spoof-based auth bypass but has no bearing on token theft success; T1528 obtains valid tokens via separate vectors and never targets spoofing surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1539",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 (spoofing-based auth bypass) neither enables cookie theft/replay nor is exploited by T1539, which instead targets cookie exposure surfaces such as memory or network."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 enables cookie-based session use only partially (technique succeeds via client-side theft without any spoofing flaw); T1550.004 exploits only a narrow slice of spoofing surfaces by replaying valid tokens rather than forging identities."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth surface is the primary enabler for the protocol-abuse paths that realize T1557, yet T1557 can also reach its goals via non-spoofing routes and only exercises one slice of that surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables replay-based access to remote services (partial) but T1021 assumes valid accounts obtained by any means and does not target the capture-replay surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 can partially enable SMB share access by replaying sniffed credentials, but T1021.002 assumes valid accounts and does not target or cover the capture-replay surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1114.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 supplies one possible credential-acquisition path for T1114.002 but is unnecessary (other theft methods work); T1114.002 only touches replay when credentials happen to be obtained that way, a narrow slice of the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1133",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 can enable one auth-bypass path into the remote services of T1133 but is not required; T1133 can exploit capture-replay on external gateways yet only covers a narrow slice of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.002",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-294 describes network replay of auth traffic; PtH uses captured hashes directly via protocol APIs and is enabled by unrelated weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 is the primary enabler for ticket replay in PtT, but PtT only covers the Kerberos-specific slice of the broader capture-replay surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables cookie replay only when cookies are captured via network sniffing (other theft methods exist), while T1550.004 directly performs replay of session tokens and therefore covers most of the CWE-294 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables only the replay sub-behavior of T1557 (so partial) while T1557 covers replay among many other AiTM uses and therefore hits only one slice of the capture-replay surface (also partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables only the network-sniffing subset of T1558 (Pass-the-Ticket via replay) while T1558 succeeds via memory theft/forgery without it; T1558 in turn touches only the Kerberos-ticket slice of the broad capture-replay surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1040",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 mostly enables T1040 by exposing plaintext traffic to passive capture, while T1040 only partially exploits CWE-300 by addressing passive sniffing but not active channel influence."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1185",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "T1185 succeeds via endpoint compromise (MITB/extensions) without needing non-endpoint channel access, and does not target CWE-300's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 is the primary enabler of T1557 by allowing non-endpoint channel access, while T1557 directly exploits that surface via protocol abuse but does not cover every possible manifestation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 is an app-level auth flaw that does not enable OS token APIs, while T1134 directly abuses the immutability assumption for one narrow slice of that weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1528",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 can partially enable token acquisition via auth bypass on mutable data, but T1528 steals tokens through unrelated surfaces (memory, storage) and does not target immutability assumptions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.007",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 is narrowly scoped to authentication data assumptions and has no bearing on PATH hijacking for execution, while T1574.007 targets a generic mutable environment variable unrelated to any auth scheme."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables password spraying/brute-force paths to T1078 but T1078 succeeds via phishing, leaks, etc.; T1078 only touches the brute-force slice of CWE-307's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables T1110.001 mostly by permitting unlimited attempts that the technique requires to succeed, while T1110.001 exploits the weakness mostly as one direct manifestation among related brute-force variants."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables T1110.003 only partially because spraying is explicitly designed to succeed even when lockouts exist, while the technique exploits the weakness mostly by distributing attempts to remain below per-account thresholds."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 is a primary enabler for large-scale automated stuffing (mostly) while T1110.004 only exercises the rate-limiting slice of that weakness surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 is a primary enabler for T1021 via stolen passwords alone, though T1021 can still succeed with MFA bypasses; T1021 only hits the remote-login slice of the broad single-factor weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth makes valid-account acquisition easier (partial enablement of T1021.002) but the SMB technique itself neither targets nor traverses any authentication-factor surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 mostly enables T1078 by removing the MFA barrier that would otherwise block credential-based account abuse, while T1078 only partially exploits CWE-308 since it covers credential theft/abuse but leaves other single-factor attack surfaces (e.g., phishing, brute-force without account validity checks) untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth is the primary enabler for credential-based abuse of default accounts, while default-account attacks cover only one narrow slice of the broad single-factor weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.001",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth is the sole prerequisite that lets password guessing succeed unaided (full enablement), while guessing only targets the password manifestation of the broader single-factor weakness surface (mostly exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth is the primary reason password cracking yields account access (MFA would block it), while password cracking directly targets the main manifestation of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth (passwords) is the main precondition that lets password spraying succeed at scale, while spraying directly targets the password surface of that weakness but does not address other single-factor forms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth is the primary enabler for credential stuffing to succeed, yet stuffing only covers one narrow slice of the weakness's exploitation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1114.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth enables credential-based remote email access mostly (MFA would block the direct path), while the technique only hits the email-service slice of the broad weakness partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1133",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth is a primary enabler for successful credential-based access via T1133 remote services, while T1133 only touches the narrow authentication slice of that weakness's broader surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth is the primary enabler for PtH success, but PtH only targets the narrow password-hash slice of that weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "T1558 succeeds via memory/network access or KDC compromise regardless of factor count, and targets ticket caching/issuance surfaces rather than single-factor decision points."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth on service accounts is the primary reason a cracked TGS hash yields usable access (mostly enabling), while Kerberoasting only targets the Kerberos password-hash slice of that weakness rather than its full MFA surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password auth weaknesses enable credential-based remote logins but are not required for T1021 (keys/certs also work); T1021 only touches the password slice of CWE-309's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 can aid credential acquisition for T1021.002 but is not required; T1021.002 uses already-valid accounts and does not target password authentication flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password-based primary auth is a primary enabler for credential theft/abuse in T1078, but T1078 only hits a slice of the weakness surface via stolen passwords rather than all possible password flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password-based primary auth enables default-account abuse because the attack relies on guessable/default credentials; conversely, default accounts are only one narrow slice of the broad password-system weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 is the primary reason password guessing can succeed, yet T1110.001 only covers one narrow slice of password-system weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password systems enable cracking attacks as a core shortcoming, yet cracking only targets the hash-recovery slice of the weakness's broader surface (shoulder-surfing, reuse, etc.)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 is the primary reason password spraying is viable at all, yet spraying only targets one narrow slice (common-password guessing) of the broad set of password-system flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password-based primary auth is the core prerequisite that makes credential stuffing viable, yet stuffing only targets the reuse slice of CWE-309's broader flaw surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1114.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password weaknesses can aid credential theft used by the technique but are unnecessary for success, while the technique only touches one narrow slice of password-system flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1133",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password-system flaws are a primary enabler for credential attacks on external remote services, yet T1133 only touches one narrow slice of the broad password-weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables Kerberoasting mostly by making offline password cracking viable, while Kerberoasting exploits only the narrow ticket-hash slice of CWE-309's broad password-auth surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly exposes plaintext files that T1005 can harvest, yet T1005 can still locate and copy data even when encrypted and only touches the local-storage slice of CWE-311's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1040",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption is the primary reason sniffing yields sensitive data in transit, yet T1040 only touches the transmission slice and ignores storage or non-network vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1056.004",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-311 concerns absence of encryption for data at rest/in transit while T1056.004 captures plaintext credential parameters via API hooking, so neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1111",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption can aid network interception of MFA material in transit but T1111 succeeds via client-side theft (keyloggers, token theft) that does not require or target this weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1539",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption enables only the network-sniffing vector of cookie theft while T1539 also succeeds via memory/disk access; conversely the technique only touches the transmission slice of the broad encryption weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption enables T1552.004 mostly by leaving private keys directly usable, while the technique exploits only the private-key slice of CWE-311's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-312",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-312 enables T1005 only partially (collection succeeds on any local data) while T1005 exploits the cleartext exposure surface mostly (directly reads the unprotected sensitive files)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-312",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-312 is the primary reason private keys become readable when found, enabling T1552.004 mostly, yet the technique only targets one narrow slice of the broad cleartext-storage surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-314",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Cleartext registry storage directly supplies readable sensitive data that T1005 can harvest from the local system, yet T1005 also targets many other sources so it only touches one slice of the weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-315",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-315 supplies one readable cookie file that T1005 can harvest, yet T1005 succeeds against many other local sources and only touches one narrow slice of cookie-related exposures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-315",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1539",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-315 enables T1539 mostly by making session tokens directly usable once obtained; T1539 exploits CWE-315 only partially because cookie theft also succeeds from memory/disk even without cleartext exposure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-318",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-318 makes sensitive data trivially readable during T1005 file searches but T1005 succeeds against many other sources; T1005 only touches the executable-file slice of CWE-318's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-318",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-318 enables T1552.004 only partially (keys can be found via many other insecure locations) while T1552.004 never targets executables and thus exploits none of this weakness's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-319",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1040",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 enables T1040 mostly by making credential material readable on the wire, though T1040 can still gather non-sensitive metadata without it; T1040 exploits CWE-319 mostly by directly capturing the cleartext channel, yet only addresses the network-sniffing manifestation of the broader weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-325",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1553.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-325 weakens a crypto implementation but neither enables acquisition of signing materials nor is targeted by the code-signing technique."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-326",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak encryption enables offline brute-force on captured material but is irrelevant to online password guessing; brute force directly targets inadequate key/algorithm strength yet only covers one slice of the weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-328",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1553.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak-hash usage neither enables acquisition of signing material nor is targeted by the code-signing technique, which relies on valid certificates rather than hash collisions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-330",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-330 reduces entropy and thereby makes brute-force practical, yet T1110 can still succeed against non-random weaknesses (defaults, reused passwords); conversely T1110 only touches the low-entropy slice of CWE-330's broader surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1211",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables T1211 only partially (T1211 succeeds via many other weaknesses) while T1211 exploits only a narrow slice of CWE-345's broad authenticity surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1491",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 can enable certain defacement paths by letting tampered content be accepted, but many T1491 attacks succeed via other weaknesses; T1491 in turn only touches a narrow slice of the broad authenticity-verification surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1542.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 mostly enables T1542.002 by allowing acceptance of unauthenticated malicious firmware images, while the technique only narrowly exploits the broad data-authenticity surface via one specific firmware-update vector."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1556",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables T1556 only in cases where forged auth data/configs are accepted, while T1556 exploits only the data-authenticity slice of the broader weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 is the primary enabler of ARP poisoning (no authenticity check on replies), yet T1557.002 only targets one narrow protocol instance of the broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1584.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables one vector for server compromise (e.g., unauthenticated updates) but is not required; T1584.002 covers many unrelated compromise methods and therefore only touches one slice of the weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1528",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Origin validation flaws can enable token exfiltration via cross-origin vectors but are not required for most token-stealing methods; conversely, T1528 only touches a narrow slice of the broad origin-validation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 can enable limited cookie-misuse paths via cross-origin flaws but is not required for cookie theft/use; T1550.004 targets authenticated sessions without touching origin validation surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 is the root cause that lets ARP poisoning succeed, yet T1557.002 only targets the single ARP-protocol instance of that broad validation weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1584.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 is an input/validation flaw unrelated to initial server compromise; T1584.002 succeeds via unrelated vulns and never targets origin-validation surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-348",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 is the primary reason ARP replies are blindly accepted, enabling poisoning mostly, while T1557.002 only touches the single ARP manifestation of the broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-348",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1584.002",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-348 describes a product flaw in source selection; T1584.002 is adversary infrastructure compromise that may later feed false data to such a flawed product but is not enabled by it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-349 describes mixing trusted+untrusted data in one container; ARP poisoning sends standalone unauthenticated replies and neither enables nor targets that specific mixing surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-350",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1584.002",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Compromising DNS servers can alter PTR records to abuse CWE-350, but covers only one of many exploitation vectors and does not rely on the weakness itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1211",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing integrity checks allow undetected tampering (partial enabler for stealth) but T1211 focuses on monitoring/logging evasion via code execution and does not target transmission integrity surfaces at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1542.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing integrity checks primarily enable firmware tampering during transmission, while the technique can also exploit other weaknesses beyond transmission protocols."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1606.001",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-359 describes improper protection of personal data; T1606.001 forges cookies for session access and does not rely on or primarily exploit that exposure weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-384 permits an attacker to obtain a pre-authenticated session identifier but is not required for cookie theft or reuse; T1550.004 targets post-authentication cookie exfiltration vectors unrelated to fixation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1606",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Session fixation enables use of a pre-known valid ID after auth, whereas T1606 centers on generating new forged tokens/cookies unrelated to fixation mechanics."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-400",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-400 is the primary enabler for T1499's resource-exhaustion path (though T1499 also allows crash-based DoS), while T1499 directly targets the full resource-consumption surface of CWE-400."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-404",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 can contribute to resource-exhaustion DoS but T1499 succeeds via many other paths; T1499 only touches the narrow resource-leak slice of CWE-404's broader surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-404",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 can worsen exhaustion under load but is unnecessary for a flood to exhaust OS limits, while T1499.001 targets imposed quotas rather than any release flaw surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-404",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 can worsen exhaustion under sustained load but is unnecessary for a flood to succeed, while T1499.003 targets finite resource limits rather than shutdown/release flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-412",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-412 enables a narrow DoS path via external lock control but is not required for T1499.004 crashes; T1499.004 only touches one slice of the lock-manipulation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-424",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1083",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-424 can partially enable T1083 by exposing restricted paths to enumeration, but T1083 succeeds via normal commands regardless; T1083 does not target or cover the alternate-path protection surface at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-425",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1083",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 permits web URL access that can aid discovery but T1083 succeeds via local commands without it; T1083 does not target the web authorization surface at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-426",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.007",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-426 is the primary enabler for T1574.007 via PATH manipulation, but the technique only covers one narrow slice of the broader untrusted-search-path surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-426",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.009",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-426 mostly enables T1574.009 because the untrusted search path weakness is the primary condition allowing higher-directory executable interception, while T1574.009 only partially exploits CWE-426 by covering solely the unquoted-path slice of that weakness's broader surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-427",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the primary root cause enabling search-order DLL hijacking within T1574.001, yet the technique only covers that narrow slice of the weakness alongside sideloading and phantom DLL variants."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-427",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.004",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the sole root cause enabling T1574.004 dylib hijacking via search-path manipulation, while the technique only covers the narrow dylib slice of the broader uncontrolled-search surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-427",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.007",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the direct and sole enabler of PATH hijacking, while T1574.007 only targets the PATH manifestation and leaves other uncontrolled search paths untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-427",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.008",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the sole enabler of T1574.008 (no uncontrolled element means no search-order hijack succeeds), yet the technique only covers one narrow Windows search-order slice of the CWE's broader surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-427",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.009",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the primary weakness enabling T1574.009's unquoted-path hijack, yet the technique only covers one narrow slice of CWE-427's broader search-path surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-430",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1036.006",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-430 is a downstream effect of the filename trick, not an enabler of it; T1036.006 triggers one specific wrong-handler case among many possible handler mis-assignments."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1090.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-441 can facilitate proxy-like behavior that an adversary might abuse, but T1090.001 succeeds via deliberate tooling without needing this weakness; the technique does not target the confused-deputy surface at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1534",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can aid internal spearphishing by enabling spoofed UI elements but is not required; T1534 leverages trusted internal accounts and only touches one narrow slice of the broad UI-misrepresentation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1566",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 is a primary enabler for most phishing deception but not required for attachment-based variants; T1566 exploits only the UI-misrepresentation slice of the weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1566.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can aid T1566.001 success via spoofed email/attachment rendering but is not required (other social-engineering vectors suffice); T1566.001 only touches a narrow slice of CWE-451's broad UI-misrepresentation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1566.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can aid link credibility in phishing but is not required for T1566.002 delivery; the technique only touches one narrow slice of the broad UI-misrepresentation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1566.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 is a primary enabler for phishing success via spoofed UI elements, but T1566.003 only covers one narrow delivery slice of that broad weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1598",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 mostly enables T1598 because UI misrepresentation is a primary vector for successful phishing lures, while T1598 exploits the weakness only partially since phishing can also rely on non-UI social engineering."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1598.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can facilitate T1598.001 via spoofed interfaces but is neither required nor the primary enabler for service-based info elicitation; conversely the technique only touches narrow UI-focused slices of the broad misrepresentation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1598.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can aid T1598.002 success via spoofed UI cues but is not required; the technique only touches one narrow slice of the broad UI-misrepresentation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1598.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 is a primary enabler for convincing spearphishing links via spoofed UI elements, though the technique can still succeed via pure social engineering; T1598.003 only targets the narrow link/UI slice of the broad CWE-451 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-488",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-488 can leak session tokens across boundaries and thereby aid cookie misuse, yet T1550.004 succeeds via many other theft vectors; the cookie-reuse technique itself never targets or traverses the cross-session exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1072",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is a primary enabler for malicious use of deployment tools (T1072) since they rely on remote code distribution, yet T1072 only touches one slice of the broader integrity-check surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1195.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is the primary enabler for T1195.001 to achieve execution, while the supply-chain compromise directly targets the no-integrity-check surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1195.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 mostly enables T1195.002 by permitting execution of the adversary's tampered artifact, while T1195.002 mostly exploits the weakness by directly manipulating the update/download channel it describes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-497",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1614",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-497 can expose location-related system data (timezone, locale) that aids T1614, but T1614 succeeds via many other channels; conversely T1614 only touches one narrow slice of the broad sensitive-info surface CWE-497 describes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1027.003",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 does not enable T1027.003 (adversaries can apply steganography in malware without any product weakness) and T1027.003 does not exploit CWE-506 (it is merely a hiding method, not a means of triggering or misusing embedded malicious code)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1027.009",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is an outcome, not an enabler of T1027.009; conversely the embedding technique directly realizes the weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1195.001",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the direct result of a successful T1195.001 rather than an enabler, while the technique covers only one narrow supply-chain manifestation of the broad CWE-506 weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1195.002",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the direct result of T1195.002 rather than an enabler, while the technique fully covers the weakness by inserting malicious code through supply-chain manipulation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1218.001",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 does not enable T1218.001 (CHM abuse works independently of any pre-existing embedded malicious code), while T1218.001 exploits only one narrow slice of the many possible manifestations of CWE-506."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1221",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the end-state payload rather than an enabler of T1221, while T1221 is only one narrow template-based manifestation of the broad CWE-506 weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-507",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1176",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-507 supplies the hidden malicious payload that makes a seemingly-benign extension succeed at persistence, yet T1176 only covers the extension-specific slice of the broader Trojan surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-507",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1505.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-507 enables T1505.004 only partially (Trojan delivery is one possible vector among many for installing IIS components); T1505.004 exploits CWE-507 only partially (IIS extensions are one narrow realization of hidden malicious functionality)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords enable credential guessing for remote logins but are not required (valid accounts can be obtained other ways); T1021 uses any valid account and therefore only touches one narrow slice of the password-weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords can aid initial credential acquisition for valid accounts but are not required for T1021.002 to succeed via other means; the technique itself targets SMB shares rather than password surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements partially enable default-account abuse by permitting unchanged factory credentials, while default-account usage only covers one narrow slice of the broader weak-password surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements make brute-force practical by lowering guess entropy (primary enabler), while brute force directly targets the guessability surface created by those requirements."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements primarily enable guessing by permitting easily guessable passwords, while guessing covers only one slice of the weakness's exploitation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements are the primary reason password cracking succeeds at scale, yet cracking only addresses the offline-hash slice of that weakness's broader attack surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements mostly enable spraying by permitting the exact common passwords it relies on, while spraying only partially exploits the weakness by targeting one narrow slice (common passwords) of its broader surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1114.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords can aid credential acquisition for email access but are unnecessary (phishing etc. suffice); the technique assumes valid creds and never targets password policy surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1133",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords are a primary enabler for credential guessing against exposed remote services, yet T1133 only covers one narrow slice of all possible weak-password abuse surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements mostly enable Kerberoasting success via offline brute-force, while Kerberoasting only partially exploits the weakness by targeting one narrow slice (service-account TGS tickets)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 mostly enables T1021 by directly supplying the valid accounts needed for remote login, while T1021 only partially exploits CWE-522 since credential interception is merely one of several ways to obtain those accounts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1021.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 supplies one possible source of valid accounts that T1021.002 can consume, but the technique succeeds via many other credential sources and does not itself target or traverse any credential-storage surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 directly enables credential theft paths into T1078 (though T1078 also succeeds via phishing/brute-force); T1078 only hits the interception slice of CWE-522's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 can contribute leaked creds that enable stuffing but is not required (other leak vectors exist); T1110.004 simply re-uses already-obtained creds and never touches the storage/transmission flaw itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1114.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 mostly enables T1114.002 by supplying the credentials the technique requires, while T1114.002 only partially exploits CWE-522 since it uses any valid credentials and does not specifically target their insecure storage or transmission."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1133",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 can aid T1133 by exposing creds used at remote gateways but is unnecessary (other vectors like phishing work); T1133 only touches the narrow remote-auth slice of CWE-522's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables hash capture (a prerequisite for PtH) only via one of many credential-access paths, while PtH itself operates on an already-captured hash and does not target the protection flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 mostly enables ticket theft required for PtT, while PtT only targets the narrow Kerberos-ticket slice of the broad credential-protection surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 is the primary reason private keys become discoverable via T1552.004, yet the technique only targets one narrow slice (private-key files) of the broad credential-protection weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables ticket theft only when creds happen to be stored/transmitted insecurely (other vectors like memory dumps still work), while T1558 covers only the narrow cached-ticket slice of the broad CWE-522 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558.003",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Kerberoasting obtains crackable ticket material via protocol abuse rather than exploiting insecure credential storage/transmission."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-524",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-524 supplies one accessible cache source among many that T1005 can harvest, while T1005 only touches the cache slice of CWE-524's broader local-data exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-525",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1005",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-525 places sensitive data into browser cache files that T1005 can harvest from the local filesystem, yet T1005 succeeds against many other local sources and only incidentally touches cached web data."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-539",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1528",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 enables token theft only when the token happens to be the sensitive value persisted in a cookie (other theft vectors exist), while T1528 covers only that narrow cookie-based slice of the weakness's broader sensitive-data surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-539",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1539",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 enables T1539 only partially (stealing works from memory/network too) while T1539 exploits the persistent-cookie surface mostly (directly targets the stored sensitive value)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-539",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 supplies long-lived sensitive session tokens that T1550.004 directly steals and replays, yet the technique can also target non-persistent or non-cookie authenticators."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 can expose credential files and thereby give T1003 one optional vector, but T1003 succeeds via memory/registry dumping without any external-file exposure and does not target the broad external-access surface of CWE-552."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1039",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552's exposure of shares is the primary enabler for T1039's post-compromise collection, yet T1039 only targets the network-share slice of the broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1119",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 directly supplies the unauthorized file access that automated collection relies on (mostly enabling), yet T1119 only exercises one narrow slice of that broad exposure surface via scripted retrieval."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1213",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 enables external access to repos (one vector for T1213) but T1213 succeeds via many other paths; T1213 only touches the exposed-files slice of CWE-552's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1530",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 is the primary enabler for unauthorized cloud-storage reads via misconfiguration, yet T1530 only covers the cloud-storage slice of the broader file-exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 directly enables external discovery of credential files (mostly), while T1552.001 only targets the credential-file slice of CWE-552's broad exposure surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 can expose history files to outsiders (enabling T1552.003 without a full compromise) but is not required once local access exists; T1552.003 only targets one narrow file-based slice of the broad exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 directly enables discovery of private keys via external or unauthorized access to their storage locations; T1552.004 only covers the narrow slice of that surface involving cryptographic key files after compromise."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.006",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 mostly enables T1552.006 by exposing SYSVOL, but the technique only exploits one narrow slice of the broad accessibility surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1555",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 enables T1555 only when password stores are the exposed files (technique works via local access or other vectors otherwise); T1555 exploits only the narrow password-store slice of the broad exposure surface in CWE-552."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1602",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 mostly enables T1602 by directly exposing configuration files to external collection, while T1602 exploits CWE-552 only partially by targeting one narrow slice of its broad file-exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-553",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1505.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-553 enables T1505.003 mostly (accessible shell is the direct persistence vector but other placement flaws can also suffice); T1505.003 exploits CWE-553 fully (web shell placement exactly matches the weakness surface)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-565",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1539",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-565 is the primary reason a stolen session cookie remains usable (enables mostly), while T1539 directly targets and exercises that missing validation surface (exploits mostly)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-567",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-567 can produce crashes exploitable for DoS but is only one of many such weaknesses, while T1499.004 broadly targets any crash-inducing vuln and therefore covers only a narrow slice of CWE-567's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-59",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1547.009",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-59 is not required for T1547.009 to succeed (adversary simply plants a working .lnk), yet shortcut modification only touches one narrow slice of the broad link-following surface CWE-59 describes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1539",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables client-controlled bypasses of server decisions but is neither required nor targeted by cookie theft, which succeeds via separate vectors such as XSS or network capture."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-642",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 enables T1134 mostly because token manipulation requires the ability to externally control critical security state; T1134 exploits CWE-642 only partially as it targets one narrow Windows-specific slice of the broad weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-642",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1528",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 directly enables token theft by exposing critical state but is not required for all T1528 paths; T1528 only covers the token-specific slice of CWE-642's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-642",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1539",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 makes session cookies externally accessible and is thus the primary enabler for cookie theft, yet T1539 only targets the narrow cookie slice of the weakness's broader critical-state surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-645",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1531",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-645 is the primary enabler for easy lockout-based denial in T1531, yet T1531 also removes access via deletion, credential changes, and other non-lockout paths that ignore this weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor reliance primarily enables T1078 success via stolen credentials, while T1078 only targets the authentication slice of CWE-654's broad single-condition surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables default-account abuse only when the single factor is precisely the default credential (other paths exist); T1078.001 covers only the narrow default-credential slice of the broad single-factor surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 is the primary enabler for password guessing to yield account access (multi-factor would block it), while password guessing only targets one narrow slice of the broad single-factor weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables T1110.002 mostly (single-factor password auth is the main precondition for cracking to yield access) while T1110.002 exploits CWE-654 only partially (targets the password manifestation among many possible single factors)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor reliance is the primary reason password spraying can succeed, yet spraying only targets the password slice of that broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 mostly enables T1110.004 by making password-only checks the sole gate; T1110.004 exploits only one narrow slice of the broad single-factor surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1558",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables T1558 mostly because ticket forgery succeeds only when the ticket alone grants access; T1558 exploits CWE-654 only partially as it targets one narrow slice (Kerberos) of the broad single-factor surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper sync can cause crashes usable for DoS but is neither required for T1499.004 nor the primary surface it targets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 is the primary enabler for token manipulation attacks like T1134, yet T1134 only covers one narrow slice of the broad resource-lifetime surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 can enable token theft via flawed handle lifetime management but is not required for T1134.001, while the technique only abuses one narrow token-specific slice of the broad resource-control surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables T1134.002 mostly because improper token lifetime control is the primary vector allowing token duplication/use, while the technique exploits only the narrow token/process-creation slice of the broad CWE-664 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134.003",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables T1134.003 only partially because token creation/impersonation can succeed via other weaknesses such as insufficient privileges; T1134.003 exploits CWE-664 only partially because it targets one narrow slice (tokens) of the weakness's broad resource-lifetime surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1528",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Lifetime mismanagement can leave tokens exposed for theft but is not required for the technique, while token theft only hits one narrow slice of the broad CWE-664 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1539",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables cookie theft only via specific lifetime mishandlings and is not required for T1539 to succeed via other vectors; T1539 in turn only touches narrow slices (memory/disk/network exposure) of the extremely broad CWE-664 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables T1550.004 only partially (other weaknesses can still let cookies be stolen), while the technique exploits only the narrow session-cookie lifetime slice of the broad CWE-664 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1606",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables T1606 mostly because proper lifetime control (issuance/validation/expiry) would normally prevent forged credentials from being accepted, while T1606 exploits only the credential-specific slice of the broad CWE-664 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-667",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper locking can contribute to some DoS states via deadlocks or races but is not required for crash-based exploitation; the technique targets memory-safety and similar flaws that do not intersect the locking surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1040",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables T1040 mostly by allowing capture of plaintext credentials, while T1040 exploits only the narrow encryption/transmission slice of the broad protection-mechanism surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1083",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Protection failure can enable discovery by removing access controls or enumeration blocks, but discovery succeeds via legitimate access or other vectors; T1083 only touches the narrow file-system slice of the weakness's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1565.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 mostly enables T1565.002 by omitting integrity protections on transit paths, while the technique only exploits the narrow transmission-integrity slice of the broad protection-failure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.005",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables T1574.005 mostly because failure to enforce the file-permission protection mechanism is the direct root cause, while T1574.005 only touches the narrow installer-binary slice of the broad protection-mechanism surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.010",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 is the broad category that directly contains the service-binary permission failure enabling T1574.010, yet the technique only touches one narrow slice of all possible protection-mechanism failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1611",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 is the primary enabler of container escapes (T1611) via failed isolation, yet T1611 only covers one narrow slice of the broad protection-mechanism surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1027",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can let certain obfuscated artifacts bypass a detector, yet T1027 succeeds against correct comparisons via encryption/encoding and does not target comparison flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-706",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1036",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 enables only some name-based paths of T1036 (metadata/user deception still works without it), while T1036 only touches the narrow name-manipulation slice of the broader CWE-706 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-706",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.008",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 is the primary enabler of search-order hijacking (no full path = incorrect resolution), yet the technique only covers one narrow slice of the CWE's broader name/reference surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.006",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 permits product-controlled filesystem paths from user input, while T1574.006 succeeds solely by an adversary setting linker environment variables before execution and never relies on or exercises that weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.007",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1574.007 relies on PATH search order and directory permissions rather than any software weakness that accepts external path input."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1083",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect permissions can widen the files an adversary is able to reach during discovery but are not required for T1083 to succeed; conversely T1083 merely lists names and does not exercise the read/modify surface created by CWE-732."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1134.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 can partially enable token theft by exposing handles or resources an attacker would otherwise lack rights to access, but T1134.001 succeeds via many other paths; the technique itself targets token APIs and privileges rather than permission mis-assignments on resources."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1505.005",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect permissions on the TS DLL or its registry path directly enable an adversary to replace it for persistence (mostly), yet T1505.005 only targets that single resource rather than the broad surface of CWE-732 (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1548",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect perms on elevation-critical resources (sudoers, setuid bins, etc.) are a primary path for T1548 but not required; T1548 only touches the permission slice of CWE-732's broader surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.004",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 can partially enable cookie theft via file access but T1550.004 itself only uses already-obtained cookies and does not target permission flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1553.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect perms on cert stores/keys can enable theft of signing material (one of several acquisition paths), while code signing only touches that narrow slice of the broad permission-misassignment surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1554",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect perms on binaries directly enable replacement for persistence (mostly), while binary modification only covers one narrow slice of the broad permission-misassignment surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.005",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 is the sole enabler of T1574.005 (the technique is defined by abuse of incorrect installer-binary permissions), yet T1574.005 only covers one narrow slice of the broad CWE-732 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.010",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 is the sole enabler of T1574.010 (technique cannot succeed without the permission flaw), while T1574.010 covers only the narrow Windows-service-binary slice of CWE-732's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.006",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 broadly enables T1574.006 by failing to neutralize env-var inputs that affect library loading, though the technique can also abuse OS features without app flaws; T1574.006 only hits the narrow LD_PRELOAD/DYLD slice of CWE-74's surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1600",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-757 directly enables T1600 by permitting downgrade to weak algorithms during negotiation (primary path for weakening), while T1600 only partially exploits it since weakening can also occur via config changes, firmware mods or other CWEs."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1498.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the primary reason a network flood can exhaust resources and succeed as DoS, yet T1498.001 only exercises one narrow slice (network packets) of the weakness's broad resource-allocation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1498.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 mostly enables T1498.002 by letting reflectors emit unlimited amplified responses; T1498.002 exploits only the network-response slice of that broad weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the primary enabler for the resource-exhaustion path of T1499, yet T1499 also covers unrelated crash-based DoS techniques that do not rely on unbounded allocation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the primary enabler for OS-level resource exhaustion attacks, yet T1499.001 only targets one narrow manifestation (e.g., TCP state tables) of the broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.002",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the sole enabler of successful service-resource exhaustion via flooding, while T1499.002 covers the dominant service-specific manifestation of that broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the primary enabler for resource-exhaustion DoS but other weaknesses can also permit T1499.003; the technique only targets one narrow slice of the broad allocation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-772",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.002",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing release can worsen resource pressure under load but is unnecessary for a flood to succeed, while a flood attack does not target the leak surface at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-798",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1078.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Hard-coded credentials enable default-account abuse only when the defaults are embedded in code (other vectors like docs suffice), while T1078.001 covers merely the default-account slice of the broader CWE-798 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-798",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1552.001",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-798 enables only the embedded-password slice of T1552.001 (technique still succeeds via user/config files), while T1552.001 directly covers the source/binary manifestation of hard-coded credentials."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1055",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables T1055 only via the narrow DLL-loading path among T1055's many injection methods, while T1055 covers only that one slice of CWE-829's broad untrusted-inclusion surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1176",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables T1176 mostly because malicious extensions are a direct realization of importing untrusted functionality, while T1176 exploits the weakness only partially by covering the narrow extension slice rather than the full surface of libraries, includes, and other inclusions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1195.001",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 is the primary enabler for T1195.001 success via supply-chain inclusion, yet the technique only covers the dependency-compromise slice of CWE-829's broader untrusted-inclusion surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1505.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 directly enables T1505.004 by permitting malicious IIS DLLs to be loaded from outside the trust boundary, while the IIS-component technique only covers one narrow slice of the broad untrusted-inclusion surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1505.005",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 is the primary enabler for loading an attacker-supplied Terminal Services DLL, yet T1505.005 only touches one narrow manifestation of the broad 'untrusted control sphere' surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1574.006",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 is the root cause that permits an attacker-controlled library to be loaded via LD_PRELOAD-style variables, but T1574.006 only exercises one narrow vector of that broad inclusion surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1620",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 can supply an untrusted payload that an adversary then loads reflectively, but T1620 succeeds via many other vectors and only touches one narrow slice of the broad inclusion surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-833",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1499.004",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Deadlock produces DoS via resource contention rather than enabling any exploitation path, and T1499.004 targets crash-inducing vulnerabilities that do not cover deadlock surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-836",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1550.002",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-836 is the sole enabler of T1550.002 because direct hash comparison is exactly what allows PtH to succeed, and PtH in turn uses the entire surface of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-862",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1556",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing authorization can enable an adversary to reach and alter auth mechanisms (but is neither necessary nor primary), while T1556 only touches one narrow slice of the broad missing-authorization surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-916",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1110.002",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-916 is the primary enabler that renders password cracking feasible, while T1110.002 directly and completely targets the insufficient computational effort surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1090.004",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 enables T1090.004 mostly because domain fronting succeeds by abusing CDNs that fail to bind the TLS endpoint to the later HTTP Host, while the technique exploits only a narrow slice of the weakness's broad endpoint-restriction surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1557.003",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 is the primary enabler of DHCP spoofing by allowing unauthenticated endpoints, yet T1557.003 only targets one narrow DHCP-specific slice of the weakness's broad surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-96",
      "target_framework": "MITRE_ATTACK",
      "target_id": "T1027.009",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-96 can let an attacker inject directives into static resources (partial enablement of embedding), but T1027.009 is purely a concealment tactic that never targets or traverses the neutralization flaw."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1003",
      "target_framework": "CWE",
      "target_id": "CWE-1272",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1272 can leave creds in memory post-transition (enabling a subset of dumps) while T1003 broadly targets many OS caches/structures beyond this narrow transition surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1003",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 can expose credential files and thereby give T1003 one optional vector, but T1003 succeeds via memory/registry dumping without any external-file exposure and does not target the broad external-access surface of CWE-552."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-1258",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1258 can leave sensitive values in accessible memory/files that T1005 might incidentally read (partial enablement), but T1005 performs generic local collection and never targets debug-mode uncleared state (no exploitation)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-1272",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1272 can leave extra sensitive data in memory/files that T1005 may later collect, but T1005 succeeds via many other sources; T1005 only touches one narrow slice of the CWE's state-transition surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-1301",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1301 primarily enables T1005 by leaving sensitive hardware remnants available for collection, while T1005 only narrowly exploits the weakness as one of many local data sources."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-1323",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1323 supplies one unprotected local data source that T1005 can read, yet T1005 succeeds on many other sources and does not specifically target trace data."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-226",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-226 enables T1005 partially (lingering data in reused memory aids collection but T1005 succeeds via files/configs too); T1005 exploits CWE-226 partially (covers process memory but only one slice of the broad reuse surface)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 can aid unauthorized file access but is unnecessary for T1005 (which assumes prior access), and T1005 performs generic collection without targeting authorization checks."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly exposes plaintext files that T1005 can harvest, yet T1005 can still locate and copy data even when encrypted and only touches the local-storage slice of CWE-311's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-312",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-312 enables T1005 only partially (collection succeeds on any local data) while T1005 exploits the cleartext exposure surface mostly (directly reads the unprotected sensitive files)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-314",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Cleartext registry storage directly supplies readable sensitive data that T1005 can harvest from the local system, yet T1005 also targets many other sources so it only touches one slice of the weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-315",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-315 supplies one readable cookie file that T1005 can harvest, yet T1005 succeeds against many other local sources and only touches one narrow slice of cookie-related exposures."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-318",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-318 makes sensitive data trivially readable during T1005 file searches but T1005 succeeds against many other sources; T1005 only touches the executable-file slice of CWE-318's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-524",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-524 supplies one accessible cache source among many that T1005 can harvest, while T1005 only touches the cache slice of CWE-524's broader local-data exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1005",
      "target_framework": "CWE",
      "target_id": "CWE-525",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-525 places sensitive data into browser cache files that T1005 can harvest from the local filesystem, yet T1005 succeeds against many other local sources and only incidentally touches cached web data."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1007",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1007 uses legitimate OS utilities rather than exploiting an information-exposure weakness; the technique can incidentally surface service metadata that falls under CWE-200 but covers only a tiny slice of that weakness's many disclosure vectors."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1012",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "T1012 succeeds on any Windows system via normal reg utilities regardless of authorization checks, while registry queries represent only one narrow slice of CWE-285's broad authorization surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1014",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper access control can enable rootkit deployment by permitting unauthorized low-level hooks but is not required (other CWEs suffice); rootkits in turn only touch the narrow stealth/hiding slice of the broad AC surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1016",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1016 (standard OS commands succeed regardless), while T1016 only touches one narrow slice of sensitive data covered by CWE-200."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1018",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1018 is active OS-command discovery; CWE-200 exposure is neither required nor the primary enabler."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password aging has no bearing on obtaining or using valid accounts over remote services, so neither direction applies."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration keeps stolen creds valid longer for T1021 use, yet T1021 neither requires nor targets password aging and can succeed with fresh credentials."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables replay-based access to remote services (partial) but T1021 assumes valid accounts obtained by any means and does not target the capture-replay surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 is a primary enabler for T1021 via stolen passwords alone, though T1021 can still succeed with MFA bypasses; T1021 only hits the remote-login slice of the broad single-factor weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password auth weaknesses enable credential-based remote logins but are not required for T1021 (keys/certs also work); T1021 only touches the password slice of CWE-309's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords enable credential guessing for remote logins but are not required (valid accounts can be obtained other ways); T1021 uses any valid account and therefore only touches one narrow slice of the password-weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 mostly enables T1021 by directly supplying the valid accounts needed for remote login, while T1021 only partially exploits CWE-522 since credential interception is merely one of several ways to obtain those accounts."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021.002",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-263 lengthens credential lifetime but supplies neither accounts nor share access, while T1021.002 simply re-uses already-valid credentials and never touches expiration policy."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021.002",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 can partially enable SMB share access by replaying sniffed credentials, but T1021.002 assumes valid accounts and does not target or cover the capture-replay surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021.002",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth makes valid-account acquisition easier (partial enablement of T1021.002) but the SMB technique itself neither targets nor traverses any authentication-factor surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021.002",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 can aid credential acquisition for T1021.002 but is not required; T1021.002 uses already-valid accounts and does not target password authentication flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021.002",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords can aid initial credential acquisition for valid accounts but are not required for T1021.002 to succeed via other means; the technique itself targets SMB shares rather than password surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1021.002",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 supplies one possible source of valid accounts that T1021.002 can consume, but the technique succeeds via many other credential sources and does not itself target or traverse any credential-storage surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1027",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Encoding flaws can let certain encoded obfuscations evade handling (partial enablement) while T1027 only uses encoding among many obfuscation methods and thus covers only a slice of CWE-172's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1027",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables only the encoding slice of T1027 (other obfuscation methods work without it), while T1027 uses encoding among many techniques and therefore covers only part of the CWE surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1027",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 can let certain encoded/obfuscated inputs bypass filters (partial enablement) but T1027 succeeds via many other mechanisms and does not target the validate-before-canonicalize surface at all."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1027",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 does not enable T1027 (obfuscation succeeds without any input-validation flaw) and T1027 does not target the CWE-20 surface (it evades detection, not input handling)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1027",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can let certain obfuscated artifacts bypass a detector, yet T1027 succeeds against correct comparisons via encryption/encoding and does not target comparison flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1027.003",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 does not enable T1027.003 (adversaries can apply steganography in malware without any product weakness) and T1027.003 does not exploit CWE-506 (it is merely a hiding method, not a means of triggering or misusing embedded malicious code)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1027.009",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is an outcome, not an enabler of T1027.009; conversely the embedding technique directly realizes the weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1027.009",
      "target_framework": "CWE",
      "target_id": "CWE-96",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-96 can let an attacker inject directives into static resources (partial enablement of embedding), but T1027.009 is purely a concealment tactic that never targets or traverses the neutralization flaw."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1033",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables T1033 only partially since user discovery can succeed via other vectors such as credential dumping; conversely T1033 exploits only a narrow slice of the broad CWE-200 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1036",
      "target_framework": "CWE",
      "target_id": "CWE-706",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 enables only some name-based paths of T1036 (metadata/user deception still works without it), while T1036 only touches the narrow name-manipulation slice of the broader CWE-706 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1036.001",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables T1036.001 only partially (user deception works without it) while T1036.001 exploits only one narrow slice of CWE-20's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1036.001",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 is unrelated to code-signature validation so does not enable T1036.001, while the technique only touches one narrow spoofing vector within the broader authentication-bypass surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1036.006",
      "target_framework": "CWE",
      "target_id": "CWE-430",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-430 is a downstream effect of the filename trick, not an enabler of it; T1036.006 triggers one specific wrong-handler case among many possible handler mis-assignments."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1037",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is the primary enabler for adversaries to modify boot/logon scripts, but the technique only targets the narrow slice of access configurations around initialization scripts."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1039",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552's exposure of shares is the primary enabler for T1039's post-compromise collection, yet T1039 only targets the network-share slice of the broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1040",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 is not required for T1040 to capture credentials in transit, and T1040 targets transmission exposure rather than authentication verification flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1040",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 mostly enables T1040 by exposing plaintext traffic to passive capture, while T1040 only partially exploits CWE-300 by addressing passive sniffing but not active channel influence."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1040",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption is the primary reason sniffing yields sensitive data in transit, yet T1040 only touches the transmission slice and ignores storage or non-network vectors."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1040",
      "target_framework": "CWE",
      "target_id": "CWE-319",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 enables T1040 mostly by making credential material readable on the wire, though T1040 can still gather non-sensitive metadata without it; T1040 exploits CWE-319 mostly by directly capturing the cleartext channel, yet only addresses the network-sniffing manifestation of the broader weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1040",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables T1040 mostly by allowing capture of plaintext credentials, while T1040 exploits only the narrow encryption/transmission slice of the broad protection-mechanism surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1046",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1046 (discovery succeeds via active probing alone) while T1046 only partially exploits CWE-200 by incidentally surfacing service metadata that may be sensitive."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1049",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1049 (discovery succeeds via normal OS queries regardless), while T1049 exploits only one narrow slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1055",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables T1055 only via the narrow DLL-loading path among T1055's many injection methods, while T1055 covers only that one slice of CWE-829's broad untrusted-inclusion surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1056",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 enables one clickjacking-based slice of T1056 (so partial) while T1056 only covers that narrow framing manifestation of the broad UI-restriction weakness (also partial)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1056.004",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-311 concerns absence of encryption for data at rest/in transit while T1056.004 captures plaintext credential parameters via API hooking, so neither enables nor exploits the other."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1057",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is not required for T1057 (authorized queries or other CWEs suffice), while T1057 only touches the narrow process-info slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1069",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 can leak permission data that aids T1069 but is unnecessary since T1069 succeeds via queries, tools, or other channels; conversely T1069 only touches the narrow permission slice of CWE-200's broad sensitive-information surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1070",
      "target_framework": "CWE",
      "target_id": "CWE-117",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-117 enables log forgery that can aid T1070 but T1070 succeeds via many other means; T1070 only touches the narrow log-injection slice of CWE-117's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1072",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is a primary enabler for malicious use of deployment tools (T1072) since they rely on remote code distribution, yet T1072 only touches one slice of the broader integrity-check surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging aids long-term credential persistence but is not required for T1078 to succeed via other means; T1078 only touches the aging-related slice of the weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration enables persistence via stolen creds but is not required for T1078 to succeed; T1078 abuses valid accounts without specifically targeting or covering the expiration-policy surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables password spraying/brute-force paths to T1078 but T1078 succeeds via phishing, leaks, etc.; T1078 only touches the brute-force slice of CWE-307's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 mostly enables T1078 by removing the MFA barrier that would otherwise block credential-based account abuse, while T1078 only partially exploits CWE-308 since it covers credential theft/abuse but leaves other single-factor attack surfaces (e.g., phishing, brute-force without account validity checks) untouched."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password-based primary auth is a primary enabler for credential theft/abuse in T1078, but T1078 only hits a slice of the weakness surface via stolen passwords rather than all possible password flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 directly enables credential theft paths into T1078 (though T1078 also succeeds via phishing/brute-force); T1078 only hits the interception slice of CWE-522's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor reliance primarily enables T1078 success via stolen credentials, while T1078 only targets the authentication slice of CWE-654's broad single-condition surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078.001",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-262 does not create or enable default-account abuse paths, while T1078.001 only touches the aging surface in the narrow case of never-rotated factory passwords."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078.001",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration allows already-known default credentials to remain usable for extended periods (partial enablement) but T1078.001 targets the existence of default creds themselves, not the aging surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078.001",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth is the primary enabler for credential-based abuse of default accounts, while default-account attacks cover only one narrow slice of the broad single-factor weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078.001",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password-based primary auth enables default-account abuse because the attack relies on guessable/default credentials; conversely, default accounts are only one narrow slice of the broad password-system weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078.001",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements partially enable default-account abuse by permitting unchanged factory credentials, while default-account usage only covers one narrow slice of the broader weak-password surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078.001",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables default-account abuse only when the single factor is precisely the default credential (other paths exist); T1078.001 covers only the narrow default-credential slice of the broad single-factor surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1078.001",
      "target_framework": "CWE",
      "target_id": "CWE-798",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Hard-coded credentials enable default-account abuse only when the defaults are embedded in code (other vectors like docs suffice), while T1078.001 covers merely the default-account slice of the broader CWE-798 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1080",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1080 by allowing unauthorized writes to shared storage, while T1080 only exploits one narrow slice of the broad CWE-284 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1082",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables T1082 only partially because system discovery can occur via authorized commands or other flaws; T1082 exploits CWE-200 only partially because it targets one narrow slice (OS details) of the broad sensitive-information exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1082",
      "target_framework": "CWE",
      "target_id": "CWE-205",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-205 can leak limited system details via side behaviors but is not required for T1082's direct queries; T1082 only touches one narrow slice of the broad discrepancy surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1083",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1083 (discovery proceeds via OS utilities regardless of prior exposure), while T1083 exploits only a narrow slice of CWE-200's broad information-exposure surface via file enumeration."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1083",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization can permit unauthorized file access but is not required for T1083 (which works via legitimate or other means); T1083 does not target authorization surfaces at all."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1083",
      "target_framework": "CWE",
      "target_id": "CWE-424",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-424 can partially enable T1083 by exposing restricted paths to enumeration, but T1083 succeeds via normal commands regardless; T1083 does not target or cover the alternate-path protection surface at all."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1083",
      "target_framework": "CWE",
      "target_id": "CWE-425",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 permits web URL access that can aid discovery but T1083 succeeds via local commands without it; T1083 does not target the web authorization surface at all."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1083",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Protection failure can enable discovery by removing access controls or enumeration blocks, but discovery succeeds via legitimate access or other vectors; T1083 only touches the narrow file-system slice of the weakness's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1083",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect permissions can widen the files an adversary is able to reach during discovery but are not required for T1083 to succeed; conversely T1083 merely lists names and does not exercise the read/modify surface created by CWE-732."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1087",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 mostly enables T1087 by leaking account names/roles that directly aid enumeration, though other discovery methods exist; T1087 exploits only the account-listing slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1090.001",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-441 can facilitate proxy-like behavior that an adversary might abuse, but T1090.001 succeeds via deliberate tooling without needing this weakness; the technique does not target the confused-deputy surface at all."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1090.004",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 enables T1090.004 mostly because domain fronting succeeds by abusing CDNs that fail to bind the TLS endpoint to the later HTTP Host, while the technique exploits only a narrow slice of the weakness's broad endpoint-restriction surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110",
      "target_framework": "CWE",
      "target_id": "CWE-326",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak encryption enables offline brute-force on captured material but is irrelevant to online password guessing; brute force directly targets inadequate key/algorithm strength yet only covers one slice of the weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110",
      "target_framework": "CWE",
      "target_id": "CWE-330",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-330 reduces entropy and thereby makes brute-force practical, yet T1110 can still succeed against non-random weaknesses (defaults, reused passwords); conversely T1110 only touches the low-entropy slice of CWE-330's broader surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements make brute-force practical by lowering guess entropy (primary enabler), while brute force directly targets the guessability surface created by those requirements."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.001",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Absence of aging lengthens the window for successful guesses but is not required for the technique, which instead targets weak/no lockout policies and does not exercise any aging-related surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.001",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration lets a guessed password remain usable longer (partial enablement) but guessing itself never interacts with or targets the aging policy (no exploitation)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.001",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables T1110.001 mostly by permitting unlimited attempts that the technique requires to succeed, while T1110.001 exploits the weakness mostly as one direct manifestation among related brute-force variants."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.001",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth is the sole prerequisite that lets password guessing succeed unaided (full enablement), while guessing only targets the password manifestation of the broader single-factor weakness surface (mostly exploitation)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.001",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 is the primary reason password guessing can succeed, yet T1110.001 only covers one narrow slice of password-system weaknesses."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.001",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements primarily enable guessing by permitting easily guessable passwords, while guessing covers only one slice of the weakness's exploitation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.001",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 is the primary enabler for password guessing to yield account access (multi-factor would block it), while password guessing only targets one narrow slice of the broad single-factor weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.002",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration does not enable cracking itself (technique succeeds regardless) but can prolong cracked-credential utility; cracking targets hashes, not the aging policy surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.002",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth is the primary reason password cracking yields account access (MFA would block it), while password cracking directly targets the main manifestation of that weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.002",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password systems enable cracking attacks as a core shortcoming, yet cracking only targets the hash-recovery slice of the weakness's broader surface (shoulder-surfing, reuse, etc.)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.002",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements are the primary reason password cracking succeeds at scale, yet cracking only addresses the offline-hash slice of that weakness's broader attack surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.002",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables T1110.002 mostly (single-factor password auth is the main precondition for cracking to yield access) while T1110.002 exploits CWE-654 only partially (targets the password manifestation among many possible single factors)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.002",
      "target_framework": "CWE",
      "target_id": "CWE-916",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-916 is the primary enabler that renders password cracking feasible, while T1110.002 directly and completely targets the insufficient computational effort surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.003",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "No password aging lets sprayed credentials remain valid longer (partial enablement) but spraying targets common passwords/lockout gaps, not aging surfaces at all."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.003",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration does not create or widen any path for password spraying, and spraying never targets or depends on the aging interval."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.003",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables T1110.003 only partially because spraying is explicitly designed to succeed even when lockouts exist, while the technique exploits the weakness mostly by distributing attempts to remain below per-account thresholds."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.003",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth (passwords) is the main precondition that lets password spraying succeed at scale, while spraying directly targets the password surface of that weakness but does not address other single-factor forms."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.003",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 is the primary reason password spraying is viable at all, yet spraying only targets one narrow slice (common-password guessing) of the broad set of password-system flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.003",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements mostly enable spraying by permitting the exact common passwords it relies on, while spraying only partially exploits the weakness by targeting one narrow slice (common passwords) of its broader surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.003",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor reliance is the primary reason password spraying can succeed, yet spraying only targets the password slice of that broad weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.004",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Absence of password aging keeps old credentials valid longer and thus partially enables stuffing, yet stuffing itself targets cross-site reuse rather than the aging surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.004",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 is a primary enabler for large-scale automated stuffing (mostly) while T1110.004 only exercises the rate-limiting slice of that weakness surface (partial)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.004",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth is the primary enabler for credential stuffing to succeed, yet stuffing only covers one narrow slice of the weakness's exploitation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.004",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password-based primary auth is the core prerequisite that makes credential stuffing viable, yet stuffing only targets the reuse slice of CWE-309's broader flaw surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.004",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 can contribute leaked creds that enable stuffing but is not required (other leak vectors exist); T1110.004 simply re-uses already-obtained creds and never touches the storage/transmission flaw itself."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1110.004",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 mostly enables T1110.004 by making password-only checks the sole gate; T1110.004 exploits only one narrow slice of the broad single-factor surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1111",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1111 (interception works via keyloggers or direct targeting regardless of prior exposure), while T1111 only touches one narrow slice of the broad sensitive-information exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1111",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption can aid network interception of MFA material in transit but T1111 succeeds via client-side theft (keyloggers, token theft) that does not require or target this weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1112",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "T1112 succeeds via admin privileges or malware without needing external config control, while registry modification only covers one narrow slice of CWE-15's broad configuration surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1114.002",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long password expiration neither enables remote mailbox access (which requires valid credentials regardless of age) nor is exploited by email-collection tooling that simply uses whatever credentials it obtains."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1114.002",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 supplies one possible credential-acquisition path for T1114.002 but is unnecessary (other theft methods work); T1114.002 only touches replay when credentials happen to be obtained that way, a narrow slice of the weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1114.002",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth enables credential-based remote email access mostly (MFA would block the direct path), while the technique only hits the email-service slice of the broad weakness partially."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1114.002",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password weaknesses can aid credential theft used by the technique but are unnecessary for success, while the technique only touches one narrow slice of password-system flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1114.002",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords can aid credential acquisition for email access but are unnecessary (phishing etc. suffice); the technique assumes valid creds and never targets password policy surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1114.002",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 mostly enables T1114.002 by supplying the credentials the technique requires, while T1114.002 only partially exploits CWE-522 since it uses any valid credentials and does not specifically target their insecure storage or transmission."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1115",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-267 does not enable T1115 (clipboard access is a standard user-context OS feature, not a privilege-definition flaw) and T1115 does not exploit CWE-267 (it uses normal APIs rather than any unsafe privilege surface)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1119",
      "target_framework": "CWE",
      "target_id": "CWE-1323",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1323 supplies one extra unprotected data source that T1119 scripts could harvest, yet T1119 succeeds fully via other collection vectors; conversely T1119 can touch the trace-data exposure but only as one narrow slice of its broad automated-collection surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1119",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 directly supplies the unauthorized file access that automated collection relies on (mostly enabling), yet T1119 only exercises one narrow slice of that broad exposure surface via scripted retrieval."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1120",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1120 is active enumeration via OS APIs rather than passive exposure of sensitive data, so CWE-200 neither enables nor is canonically exercised by this technique."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1123",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-267 can enable audio capture when an over-privileged API is misused, but T1123 succeeds via many other routes; conversely T1123 only touches one narrow unsafe action among the broad surface of CWE-267."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1124",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1124 uses normal OS queries rather than any exposure weakness, while system time is only one narrow case of the broad CWE-200 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1125",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-267 enables T1125 only partially (video capture can occur via direct API access or other weaknesses); T1125 exploits CWE-267 only partially (video capture is one narrow unsafe action among many possible privilege misuses)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1133",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging aids long-term credential validity for T1133 persistence but is not required for the technique; T1133 can leverage remote-service credential surfaces that include (but are not limited to) non-aging passwords."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1133",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration weakly aids persistence after T1133 succeeds but is neither required nor specifically targeted by the technique."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1133",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 can enable one auth-bypass path into the remote services of T1133 but is not required; T1133 can exploit capture-replay on external gateways yet only covers a narrow slice of that weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1133",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth is a primary enabler for successful credential-based access via T1133 remote services, while T1133 only touches the narrow authentication slice of that weakness's broader surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1133",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password-system flaws are a primary enabler for credential attacks on external remote services, yet T1133 only touches one narrow slice of the broad password-weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1133",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords are a primary enabler for credential guessing against exposed remote services, yet T1133 only covers one narrow slice of all possible weak-password abuse surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1133",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 can aid T1133 by exposing creds used at remote gateways but is unnecessary (other vectors like phishing work); T1133 only touches the narrow remote-auth slice of CWE-522's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134",
      "target_framework": "CWE",
      "target_id": "CWE-1270",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect token generation can facilitate successful manipulation outcomes but is not required for T1134, which instead targets post-generation token APIs and does not address generation flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Token manipulation abuses OS-level identity context after initial access and is unrelated to a product failing to verify claimed identities (CWE-287)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1134 relies on legitimate token APIs rather than spoofing flaws in auth schemes, while token impersonation only touches one narrow slice of CWE-290's broader spoofing surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 is an app-level auth flaw that does not enable OS token APIs, while T1134 directly abuses the immutability assumption for one narrow slice of that weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134",
      "target_framework": "CWE",
      "target_id": "CWE-642",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 enables T1134 mostly because token manipulation requires the ability to externally control critical security state; T1134 exploits CWE-642 only partially as it targets one narrow Windows-specific slice of the broad weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 is the primary enabler for token manipulation attacks like T1134, yet T1134 only covers one narrow slice of the broad resource-lifetime surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134.001",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 mostly enables token theft by surfacing credentials an adversary can duplicate, while T1134.001 only covers the narrow token-duplication slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134.001",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Token impersonation succeeds against correct authorization by abusing valid tokens; it only covers one narrow slice of CWE-285's broad authorization surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134.001",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Token impersonation relies on OS token handling rather than spoofing-based auth bypass, while the technique represents only one non-canonical exploitation path among many spoofing variants covered by CWE-290."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134.001",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 can enable token theft via flawed handle lifetime management but is not required for T1134.001, while the technique only abuses one narrow token-specific slice of the broad resource-control surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134.001",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 can partially enable token theft by exposing handles or resources an attacker would otherwise lack rights to access, but T1134.001 succeeds via many other paths; the technique itself targets token APIs and privileges rather than permission mis-assignments on resources."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134.002",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables T1134.002 mostly because improper token lifetime control is the primary vector allowing token duplication/use, while the technique exploits only the narrow token/process-creation slice of the broad CWE-664 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1134.003",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables T1134.003 only partially because token creation/impersonation can succeed via other weaknesses such as insufficient privileges; T1134.003 exploits CWE-664 only partially because it targets one narrow slice (tokens) of the weakness's broad resource-lifetime surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1135",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable T1135 (discovery succeeds via protocol enumeration regardless of sensitive-data exposure), while T1135 only touches one narrow slice of the broad CWE-200 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1176",
      "target_framework": "CWE",
      "target_id": "CWE-507",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-507 supplies the hidden malicious payload that makes a seemingly-benign extension succeed at persistence, yet T1176 only covers the extension-specific slice of the broader Trojan surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1176",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables T1176 mostly because malicious extensions are a direct realization of importing untrusted functionality, while T1176 exploits the weakness only partially by covering the narrow extension slice rather than the full surface of libraries, includes, and other inclusions."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1185",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 may indirectly facilitate session use after hijack but T1185 succeeds via stolen tokens regardless of initial auth strength and targets session handling, not auth verification."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1185",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "T1185 succeeds via endpoint compromise (MITB/extensions) without needing non-endpoint channel access, and does not target CWE-300's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1195",
      "target_framework": "CWE",
      "target_id": "CWE-1269",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1269 does not create any path for T1195 to succeed, while T1195 can deliberately deliver a non-release image as one narrow slice of its supply-chain surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1195.001",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is the primary enabler for T1195.001 to achieve execution, while the supply-chain compromise directly targets the no-integrity-check surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1195.001",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the direct result of a successful T1195.001 rather than an enabler, while the technique covers only one narrow supply-chain manifestation of the broad CWE-506 weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1195.001",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 is the primary enabler for T1195.001 success via supply-chain inclusion, yet the technique only covers the dependency-compromise slice of CWE-829's broader untrusted-inclusion surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1195.002",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 mostly enables T1195.002 by permitting execution of the adversary's tampered artifact, while T1195.002 mostly exploits the weakness by directly manipulating the update/download channel it describes."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1195.002",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the direct result of T1195.002 rather than an enabler, while the technique fully covers the weakness by inserting malicious code through supply-chain manipulation."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1211",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-288 directly supplies an unmonitored channel that T1211 can abuse for stealth, yet T1211 exploits many unrelated weaknesses beyond auth bypass."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1211",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables T1211 only partially (T1211 succeeds via many other weaknesses) while T1211 exploits only a narrow slice of CWE-345's broad authenticity surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1211",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing integrity checks allow undetected tampering (partial enabler for stealth) but T1211 focuses on monitoring/logging evasion via code execution and does not target transmission integrity surfaces at all."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1213",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 enables external access to repos (one vector for T1213) but T1213 succeeds via many other paths; T1213 only touches the exposed-files slice of CWE-552's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1217",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 may furnish some accessible browser data but is not required for local enumeration, while T1217 only touches the browser-info slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1218.001",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 does not enable T1218.001 (CHM abuse works independently of any pre-existing embedded malicious code), while T1218.001 exploits only one narrow slice of the many possible manifestations of CWE-506."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1221",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the end-state payload rather than an enabler of T1221, while T1221 is only one narrow template-based manifestation of the broad CWE-506 weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1491",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 can enable certain defacement paths by letting tampered content be accepted, but many T1491 attacks succeed via other weaknesses; T1491 in turn only touches a narrow slice of the broad authenticity-verification surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1498.001",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the primary reason a network flood can exhaust resources and succeed as DoS, yet T1498.001 only exercises one narrow slice (network packets) of the weakness's broad resource-allocation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1498.002",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 mostly enables T1498.002 by letting reflectors emit unlimited amplified responses; T1498.002 exploits only the network-response slice of that broad weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499",
      "target_framework": "CWE",
      "target_id": "CWE-400",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-400 is the primary enabler for T1499's resource-exhaustion path (though T1499 also allows crash-based DoS), while T1499 directly targets the full resource-consumption surface of CWE-400."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499",
      "target_framework": "CWE",
      "target_id": "CWE-404",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 can contribute to resource-exhaustion DoS but T1499 succeeds via many other paths; T1499 only touches the narrow resource-leak slice of CWE-404's broader surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the primary enabler for the resource-exhaustion path of T1499, yet T1499 also covers unrelated crash-based DoS techniques that do not rely on unbounded allocation."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.001",
      "target_framework": "CWE",
      "target_id": "CWE-404",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 can worsen exhaustion under load but is unnecessary for a flood to exhaust OS limits, while T1499.001 targets imposed quotas rather than any release flaw surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.001",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the primary enabler for OS-level resource exhaustion attacks, yet T1499.001 only targets one narrow manifestation (e.g., TCP state tables) of the broad weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.002",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the sole enabler of successful service-resource exhaustion via flooding, while T1499.002 covers the dominant service-specific manifestation of that broad weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.002",
      "target_framework": "CWE",
      "target_id": "CWE-772",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing release can worsen resource pressure under load but is unnecessary for a flood to succeed, while a flood attack does not target the leak surface at all."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.003",
      "target_framework": "CWE",
      "target_id": "CWE-1325",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1325 directly enables memory exhaustion via unbounded allocations (mostly), while T1499.003 can target many resource types beyond this specific sequential-memory flaw (partial)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.003",
      "target_framework": "CWE",
      "target_id": "CWE-404",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 can worsen exhaustion under sustained load but is unnecessary for a flood to succeed, while T1499.003 targets finite resource limits rather than shutdown/release flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.003",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 is the primary enabler for resource-exhaustion DoS but other weaknesses can also permit T1499.003; the technique only targets one narrow slice of the broad allocation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.004",
      "target_framework": "CWE",
      "target_id": "CWE-1322",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1322 produces hangs rather than crashes so does not enable T1499.004's exploitation path; T1499.004 can touch the blocking surface as one narrow DoS vector among many crash-based weaknesses."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.004",
      "target_framework": "CWE",
      "target_id": "CWE-412",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-412 enables a narrow DoS path via external lock control but is not required for T1499.004 crashes; T1499.004 only touches one slice of the lock-manipulation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.004",
      "target_framework": "CWE",
      "target_id": "CWE-567",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-567 can produce crashes exploitable for DoS but is only one of many such weaknesses, while T1499.004 broadly targets any crash-inducing vuln and therefore covers only a narrow slice of CWE-567's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.004",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper sync can cause crashes usable for DoS but is neither required for T1499.004 nor the primary surface it targets."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.004",
      "target_framework": "CWE",
      "target_id": "CWE-667",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper locking can contribute to some DoS states via deadlocks or races but is not required for crash-based exploitation; the technique targets memory-safety and similar flaws that do not intersect the locking surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1499.004",
      "target_framework": "CWE",
      "target_id": "CWE-833",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Deadlock produces DoS via resource contention rather than enabling any exploitation path, and T1499.004 targets crash-inducing vulnerabilities that do not cover deadlock surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1505.003",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper auth can facilitate web-shell upload but is unnecessary (other weaknesses suffice), while web-shell usage never targets or covers the auth weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1505.003",
      "target_framework": "CWE",
      "target_id": "CWE-553",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-553 enables T1505.003 mostly (accessible shell is the direct persistence vector but other placement flaws can also suffice); T1505.003 exploits CWE-553 fully (web shell placement exactly matches the weakness surface)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1505.004",
      "target_framework": "CWE",
      "target_id": "CWE-507",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-507 enables T1505.004 only partially (Trojan delivery is one possible vector among many for installing IIS components); T1505.004 exploits CWE-507 only partially (IIS extensions are one narrow realization of hidden malicious functionality)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1505.004",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 directly enables T1505.004 by permitting malicious IIS DLLs to be loaded from outside the trust boundary, while the IIS-component technique only covers one narrow slice of the broad untrusted-inclusion surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1505.005",
      "target_framework": "CWE",
      "target_id": "CWE-114",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-114 is the primary enabler for the malicious-DLL loading step in T1505.005, yet the technique only exercises one narrow registry-based manifestation of the broad process-control weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1505.005",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables T1505.005 only partially (adversary still needs a write primitive or prior foothold), while T1505.005 exploits only a narrow slice of the broad CWE-284 surface (DLL path or service registration permissions)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1505.005",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect permissions on the TS DLL or its registry path directly enable an adversary to replace it for persistence (mostly), yet T1505.005 only targets that single resource rather than the broad surface of CWE-732 (partial)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1505.005",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 is the primary enabler for loading an attacker-supplied Terminal Services DLL, yet T1505.005 only touches one narrow manifestation of the broad 'untrusted control sphere' surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1528",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 enables spoof-based auth bypass but has no bearing on token theft success; T1528 obtains valid tokens via separate vectors and never targets spoofing surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1528",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 can partially enable token acquisition via auth bypass on mutable data, but T1528 steals tokens through unrelated surfaces (memory, storage) and does not target immutability assumptions."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1528",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Origin validation flaws can enable token exfiltration via cross-origin vectors but are not required for most token-stealing methods; conversely, T1528 only touches a narrow slice of the broad origin-validation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1528",
      "target_framework": "CWE",
      "target_id": "CWE-539",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 enables token theft only when the token happens to be the sensitive value persisted in a cookie (other theft vectors exist), while T1528 covers only that narrow cookie-based slice of the weakness's broader sensitive-data surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1528",
      "target_framework": "CWE",
      "target_id": "CWE-642",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 directly enables token theft by exposing critical state but is not required for all T1528 paths; T1528 only covers the token-specific slice of CWE-642's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1528",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Lifetime mismanagement can leave tokens exposed for theft but is not required for the technique, while token theft only hits one narrow slice of the broad CWE-664 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1530",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 is the primary enabler for unauthorized cloud-storage reads via misconfiguration, yet T1530 only covers the cloud-storage slice of the broader file-exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1531",
      "target_framework": "CWE",
      "target_id": "CWE-645",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-645 is the primary enabler for easy lockout-based denial in T1531, yet T1531 also removes access via deletion, credential changes, and other non-lockout paths that ignore this weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1534",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can aid internal spearphishing by enabling spoofed UI elements but is not required; T1534 leverages trusted internal accounts and only touches one narrow slice of the broad UI-misrepresentation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1539",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 (spoofing-based auth bypass) neither enables cookie theft/replay nor is exploited by T1539, which instead targets cookie exposure surfaces such as memory or network."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1539",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption enables only the network-sniffing vector of cookie theft while T1539 also succeeds via memory/disk access; conversely the technique only touches the transmission slice of the broad encryption weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1539",
      "target_framework": "CWE",
      "target_id": "CWE-315",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-315 enables T1539 mostly by making session tokens directly usable once obtained; T1539 exploits CWE-315 only partially because cookie theft also succeeds from memory/disk even without cleartext exposure."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1539",
      "target_framework": "CWE",
      "target_id": "CWE-539",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 enables T1539 only partially (stealing works from memory/network too) while T1539 exploits the persistent-cookie surface mostly (directly targets the stored sensitive value)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1539",
      "target_framework": "CWE",
      "target_id": "CWE-565",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-565 is the primary reason a stolen session cookie remains usable (enables mostly), while T1539 directly targets and exercises that missing validation surface (exploits mostly)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1539",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables client-controlled bypasses of server decisions but is neither required nor targeted by cookie theft, which succeeds via separate vectors such as XSS or network capture."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1539",
      "target_framework": "CWE",
      "target_id": "CWE-642",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 makes session cookies externally accessible and is thus the primary enabler for cookie theft, yet T1539 only targets the narrow cookie slice of the weakness's broader critical-state surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1539",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables cookie theft only via specific lifetime mishandlings and is not required for T1539 to succeed via other vectors; T1539 in turn only touches narrow slices (memory/disk/network exposure) of the extremely broad CWE-664 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1542.002",
      "target_framework": "CWE",
      "target_id": "CWE-1188",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Insecure defaults can ease initial access to flash firmware but T1542.002 relies on sophisticated component compromise and does not target the broad default-initialization surface of CWE-1188."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1542.002",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-288 could furnish an unauthenticated channel to a firmware-update function (partial enablement) but T1542.002 does not target or rely on any such pre-existing weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1542.002",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 mostly enables T1542.002 by allowing acceptance of unauthenticated malicious firmware images, while the technique only narrowly exploits the broad data-authenticity surface via one specific firmware-update vector."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1542.002",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing integrity checks primarily enable firmware tampering during transmission, while the technique can also exploit other weaknesses beyond transmission protocols."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1542.003",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper access control can indirectly help an attacker obtain the privileges needed to write a boot sector but is neither necessary nor the primary enabler; a bootkit does not target or rely on access-control surfaces at all, operating below the OS."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1543",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is the primary enabler for unauthorized system-process creation, yet T1543 only touches the narrow slice of that weakness surface dealing with OS services/daemons."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1543.001",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1543.001 by allowing unauthorized writes to LaunchAgent plists; T1543.001 exploits only one narrow slice of the broad access-control surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1543.003",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1543.003 by permitting unauthorized service creation/modification; T1543.003 exploits only the narrow service-registry slice of CWE-284's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1543.004",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is the primary enabler for unauthorized writes to LaunchDaemon plists, while T1543.004 only touches one narrow slice of the broad access-control surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1546.001",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1546.001 by permitting unauthorized Registry writes that the technique requires; T1546.001 exploits only the narrow Registry-key slice of CWE-284's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1546.004",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1546.004 by allowing unauthorized writes to shell config files; T1546.004 exploits only the file-write slice of CWE-284's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1546.008",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1546.008 by allowing unauthorized modification of accessibility binaries/registry; T1546.008 exploits only one narrow slice of CWE-284's broad access-control surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1546.016",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is the primary enabler for an adversary to introduce or abuse malicious installer packages/scripts, while the technique only touches one narrow slice of the broad CWE-284 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1547",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 can enable T1547 by permitting unauthorized autostart config changes, yet many other weaknesses suffice; T1547 only touches one narrow slice of CWE-284's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1547.001",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables T1547.001 only partially because registry writes can succeed via direct privileges without external config exposure; T1547.001 exploits CWE-15 only partially because run keys are one narrow slice of the broad configuration surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1547.004",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 mostly enables T1547.004 by permitting external registry changes to Winlogon keys, while the technique exploits only one narrow slice of the broad CWE-15 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1547.006",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1547.006 by allowing unauthorized kernel-module loading; T1547.006 exploits only the narrow module-loading slice of that broad weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1547.009",
      "target_framework": "CWE",
      "target_id": "CWE-59",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-59 is not required for T1547.009 to succeed (adversary simply plants a working .lnk), yet shortcut modification only touches one narrow slice of the broad link-following surface CWE-59 describes."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1547.014",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 is the direct means to alter the HKLM Active Setup key (primary enabler), while T1547.014 touches only that single registry manifestation of the broad configuration-control surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1548",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-269 is the primary root cause enabling T1548 abuse of elevation mechanisms, yet T1548 only covers the elevation-control slice of CWE-269's broad privilege surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1548",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper auth can aid initial access but is not required for T1548 to abuse elevation controls on an already-authenticated session; conversely T1548 targets elevation mechanisms rather than authentication surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1548",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect perms on elevation-critical resources (sudoers, setuid bins, etc.) are a primary path for T1548 but not required; T1548 only touches the permission slice of CWE-732's broader surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.001",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Token theft/use succeeds against correct token auth (no weakness needed), while the technique only touches the token-validation slice of CWE-287's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.002",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-294 describes network replay of auth traffic; PtH uses captured hashes directly via protocol APIs and is enabled by unrelated weaknesses."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.002",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth is the primary enabler for PtH success, but PtH only targets the narrow password-hash slice of that weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.002",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables hash capture (a prerequisite for PtH) only via one of many credential-access paths, while PtH itself operates on an already-captured hash and does not target the protection flaw."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.002",
      "target_framework": "CWE",
      "target_id": "CWE-836",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-836 is the sole enabler of T1550.002 because direct hash comparison is exactly what allows PtH to succeed, and PtH in turn uses the entire surface of that weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.003",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 is the primary enabler for ticket replay in PtT, but PtT only covers the Kerberos-specific slice of the broader capture-replay surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.003",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 mostly enables ticket theft required for PtT, while PtT only targets the narrow Kerberos-ticket slice of the broad credential-protection surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables cookie theft for T1550.004 but is not required (other theft vectors exist); T1550.004 uses only the narrow session-cookie slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 does not enable cookie theft/use (technique works with proper auth on a valid session) and T1550.004 targets session validity/MFA bypass rather than authorization checks."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 enables cookie-based session use only partially (technique succeeds via client-side theft without any spoofing flaw); T1550.004 exploits only a narrow slice of spoofing surfaces by replaying valid tokens rather than forging identities."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables cookie replay only when cookies are captured via network sniffing (other theft methods exist), while T1550.004 directly performs replay of session tokens and therefore covers most of the CWE-294 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 can enable limited cookie-misuse paths via cross-origin flaws but is not required for cookie theft/use; T1550.004 targets authenticated sessions without touching origin validation surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-384 permits an attacker to obtain a pre-authenticated session identifier but is not required for cookie theft or reuse; T1550.004 targets post-authentication cookie exfiltration vectors unrelated to fixation."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-488",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-488 can leak session tokens across boundaries and thereby aid cookie misuse, yet T1550.004 succeeds via many other theft vectors; the cookie-reuse technique itself never targets or traverses the cross-session exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-539",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 supplies long-lived sensitive session tokens that T1550.004 directly steals and replays, yet the technique can also target non-persistent or non-cookie authenticators."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables T1550.004 only partially (other weaknesses can still let cookies be stolen), while the technique exploits only the narrow session-cookie lifetime slice of the broad CWE-664 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1550.004",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 can partially enable cookie theft via file access but T1550.004 itself only uses already-obtained cookies and does not target permission flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.001",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 directly enables external discovery of credential files (mostly), while T1552.001 only targets the credential-file slice of CWE-552's broad exposure surface (partial)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.001",
      "target_framework": "CWE",
      "target_id": "CWE-798",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-798 enables only the embedded-password slice of T1552.001 (technique still succeeds via user/config files), while T1552.001 directly covers the source/binary manifestation of hard-coded credentials."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.002",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization does not create or expose Registry credential storage, and Registry searches for creds do not rely on or target authorization-check failures."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.003",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 can expose history files to outsiders (enabling T1552.003 without a full compromise) but is not required once local access exists; T1552.003 only targets one narrow file-based slice of the broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.004",
      "target_framework": "CWE",
      "target_id": "CWE-226",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-226 concerns uncleared reuse of transient resources (e.g., memory) while T1552.004 only reads static key files from disk directories, so neither enables nor exploits the other."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.004",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption enables T1552.004 mostly by leaving private keys directly usable, while the technique exploits only the private-key slice of CWE-311's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.004",
      "target_framework": "CWE",
      "target_id": "CWE-312",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-312 is the primary reason private keys become readable when found, enabling T1552.004 mostly, yet the technique only targets one narrow slice of the broad cleartext-storage surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.004",
      "target_framework": "CWE",
      "target_id": "CWE-318",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-318 enables T1552.004 only partially (keys can be found via many other insecure locations) while T1552.004 never targets executables and thus exploits none of this weakness's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.004",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 is the primary reason private keys become discoverable via T1552.004, yet the technique only targets one narrow slice (private-key files) of the broad credential-protection weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.004",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 directly enables discovery of private keys via external or unauthorized access to their storage locations; T1552.004 only covers the narrow slice of that surface involving cryptographic key files after compromise."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1552.006",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 mostly enables T1552.006 by exposing SYSVOL, but the technique only exploits one narrow slice of the broad accessibility surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1553.002",
      "target_framework": "CWE",
      "target_id": "CWE-1326",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-1326 enables unsigned/adversarial boot code via absent hardware RoT, while T1553.002 concerns acquisition of valid signing certificates for user-mode binaries; the two touch only indirectly via secure-boot signature checks."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1553.002",
      "target_framework": "CWE",
      "target_id": "CWE-325",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-325 weakens a crypto implementation but neither enables acquisition of signing materials nor is targeted by the code-signing technique."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1553.002",
      "target_framework": "CWE",
      "target_id": "CWE-328",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak-hash usage neither enables acquisition of signing material nor is targeted by the code-signing technique, which relies on valid certificates rather than hash collisions."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1553.002",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect perms on cert stores/keys can enable theft of signing material (one of several acquisition paths), while code signing only touches that narrow slice of the broad permission-misassignment surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1553.004",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 mostly enables T1553.004 by allowing unauthorized root-cert installation on a system; T1553.004 exploits only one narrow slice of the broad CWE-284 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1554",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect perms on binaries directly enable replacement for persistence (mostly), while binary modification only covers one narrow slice of the broad permission-misassignment surface (partial)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1555",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 enables T1555 only when password stores are the exposed files (technique works via local access or other vectors otherwise); T1555 exploits only the narrow password-store slice of the broad exposure surface in CWE-552."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1556",
      "target_framework": "CWE",
      "target_id": "CWE-1188",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Insecure defaults can ease initial access needed for auth modification but are not required; T1556 targets runtime mechanisms rather than initialization surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1556",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-288 is a static design flaw (existing alternate unauthenticated channel) unrelated to the active modification of auth mechanisms that defines T1556."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1556",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables T1556 only in cases where forged auth data/configs are accepted, while T1556 exploits only the data-authenticity slice of the broader weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1556",
      "target_framework": "CWE",
      "target_id": "CWE-862",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing authorization can enable an adversary to reach and alter auth mechanisms (but is neither necessary nor primary), while T1556 only touches one narrow slice of the broad missing-authorization surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1556.006",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is the primary enabler for unauthorized MFA modification, yet the technique only targets one narrow slice of that broad weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables T1557 only partially because T1557 can still achieve network positioning/sniffing/manipulation without any auth flaw; T1557 exploits CWE-287 only partially because it targets narrow protocol-level manifestations rather than the full authentication surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth surface is the primary enabler for the protocol-abuse paths that realize T1557, yet T1557 can also reach its goals via non-spoofing routes and only exercises one slice of that surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables only the replay sub-behavior of T1557 (so partial) while T1557 covers replay among many other AiTM uses and therefore hits only one slice of the capture-replay surface (also partial)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 is the primary enabler of T1557 by allowing non-endpoint channel access, while T1557 directly exploits that surface via protocol abuse but does not cover every possible manifestation."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557.002",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 is the primary enabler of ARP poisoning (no authenticity check on replies), yet T1557.002 only targets one narrow protocol instance of the broad weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557.002",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 is the root cause that lets ARP poisoning succeed, yet T1557.002 only targets the single ARP-protocol instance of that broad validation weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557.002",
      "target_framework": "CWE",
      "target_id": "CWE-348",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 is the primary reason ARP replies are blindly accepted, enabling poisoning mostly, while T1557.002 only touches the single ARP manifestation of the broad weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557.002",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-349 describes mixing trusted+untrusted data in one container; ARP poisoning sends standalone unauthenticated replies and neither enables nor targets that specific mixing surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1557.003",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 is the primary enabler of DHCP spoofing by allowing unauthenticated endpoints, yet T1557.003 only targets one narrow DHCP-specific slice of the weakness's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password aging controls long-term credential lifetime and has no bearing on Kerberos ticket acquisition or forgery paths; T1558 therefore neither depends on nor exercises the absence of aging mechanisms."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables only the network-sniffing subset of T1558 (Pass-the-Ticket via replay) while T1558 succeeds via memory theft/forgery without it; T1558 in turn touches only the Kerberos-ticket slice of the broad capture-replay surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "T1558 succeeds via memory/network access or KDC compromise regardless of factor count, and targets ticket caching/issuance surfaces rather than single-factor decision points."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables ticket theft only when creds happen to be stored/transmitted insecurely (other vectors like memory dumps still work), while T1558 covers only the narrow cached-ticket slice of the broad CWE-522 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables T1558 mostly because ticket forgery succeeds only when the ticket alone grants access; T1558 exploits CWE-654 only partially as it targets one narrow slice (Kerberos) of the broad single-factor surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558.003",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging lets service-account passwords remain static and thus easier to crack offline, but Kerberoasting succeeds against any weak hash regardless; conversely the technique only touches the static-password slice of the aging weakness via TGS tickets."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558.003",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration keeps service-account passwords static long enough for offline cracking to remain useful (partial enablement), while Kerberoasting only targets the resulting long-lived weak passwords rather than the policy surface itself (partial exploitation)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558.003",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth on service accounts is the primary reason a cracked TGS hash yields usable access (mostly enabling), while Kerberoasting only targets the Kerberos password-hash slice of that weakness rather than its full MFA surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558.003",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables Kerberoasting mostly by making offline password cracking viable, while Kerberoasting exploits only the narrow ticket-hash slice of CWE-309's broad password-auth surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558.003",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements mostly enable Kerberoasting success via offline brute-force, while Kerberoasting only partially exploits the weakness by targeting one narrow slice (service-account TGS tickets)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1558.003",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Kerberoasting obtains crackable ticket material via protocol abuse rather than exploiting insecure credential storage/transmission."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1565.002",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 mostly enables T1565.002 by omitting integrity protections on transit paths, while the technique only exploits the narrow transmission-integrity slice of the broad protection-failure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1566",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 is a primary enabler for most phishing deception but not required for attachment-based variants; T1566 exploits only the UI-misrepresentation slice of the weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1566.001",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can aid T1566.001 success via spoofed email/attachment rendering but is not required (other social-engineering vectors suffice); T1566.001 only touches a narrow slice of CWE-451's broad UI-misrepresentation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1566.002",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can aid link credibility in phishing but is not required for T1566.002 delivery; the technique only touches one narrow slice of the broad UI-misrepresentation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1566.003",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 is a primary enabler for phishing success via spoofed UI elements, but T1566.003 only covers one narrow delivery slice of that broad weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.001",
      "target_framework": "CWE",
      "target_id": "CWE-427",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the primary root cause enabling search-order DLL hijacking within T1574.001, yet the technique only covers that narrow slice of the weakness alongside sideloading and phantom DLL variants."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.004",
      "target_framework": "CWE",
      "target_id": "CWE-427",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the sole root cause enabling T1574.004 dylib hijacking via search-path manipulation, while the technique only covers the narrow dylib slice of the broader uncontrolled-search surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.005",
      "target_framework": "CWE",
      "target_id": "CWE-272",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-272 partially enables elevated execution of a replaced installer binary but is not required for the file-permission overwrite itself; T1574.005 targets directory/binary ACLs and does not rely on the privilege-dropping flaw."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.005",
      "target_framework": "CWE",
      "target_id": "CWE-282",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-282 can indirectly contribute to permissive file conditions that enable T1574.005 but is neither required nor the primary cause; T1574.005 targets permission misconfigurations on installer binaries and does not exercise ownership verification surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.005",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization is the primary enabler of the file-permission hijack (without it the overwrite fails), yet the technique only touches one narrow slice of CWE-285's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.005",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables T1574.005 mostly because failure to enforce the file-permission protection mechanism is the direct root cause, while T1574.005 only touches the narrow installer-binary slice of the broad protection-mechanism surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.005",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 is the sole enabler of T1574.005 (the technique is defined by abuse of incorrect installer-binary permissions), yet T1574.005 only covers one narrow slice of the broad CWE-732 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.006",
      "target_framework": "CWE",
      "target_id": "CWE-114",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-114 enables T1574.006 mostly by directly permitting untrusted library loads via linker env vars, while T1574.006 exploits CWE-114 only partially as one narrow vector among many process-control flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.006",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables T1574.006 mostly by permitting external setting of LD_PRELOAD-style variables, while the technique exploits only the narrow env-var slice of CWE-15's broad configuration surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.006",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization can partially enable the technique by allowing an adversary to set LD_PRELOAD-style variables for a target process, but the attack primarily exploits dynamic-linker behavior rather than any authorization check surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.006",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 permits product-controlled filesystem paths from user input, while T1574.006 succeeds solely by an adversary setting linker environment variables before execution and never relies on or exercises that weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.006",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 broadly enables T1574.006 by failing to neutralize env-var inputs that affect library loading, though the technique can also abuse OS features without app flaws; T1574.006 only hits the narrow LD_PRELOAD/DYLD slice of CWE-74's surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.006",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 is the root cause that permits an attacker-controlled library to be loaded via LD_PRELOAD-style variables, but T1574.006 only exercises one narrow vector of that broad inclusion surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.007",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables T1574.007 mostly because external PATH control is the primary vector for the described interception, while the technique exploits only the narrow PATH slice of CWE-15's broad config surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.007",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 plays no role in enabling PATH hijacking (which relies on search order and directory permissions) and T1574.007 does not target any input-validation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.007",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 is narrowly scoped to authentication data assumptions and has no bearing on PATH hijacking for execution, while T1574.007 targets a generic mutable environment variable unrelated to any auth scheme."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.007",
      "target_framework": "CWE",
      "target_id": "CWE-426",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-426 is the primary enabler for T1574.007 via PATH manipulation, but the technique only covers one narrow slice of the broader untrusted-search-path surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.007",
      "target_framework": "CWE",
      "target_id": "CWE-427",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the direct and sole enabler of PATH hijacking, while T1574.007 only targets the PATH manifestation and leaves other uncontrolled search paths untouched."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.007",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "T1574.007 relies on PATH search order and directory permissions rather than any software weakness that accepts external path input."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.008",
      "target_framework": "CWE",
      "target_id": "CWE-427",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the sole enabler of T1574.008 (no uncontrolled element means no search-order hijack succeeds), yet the technique only covers one narrow Windows search-order slice of the CWE's broader surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.008",
      "target_framework": "CWE",
      "target_id": "CWE-706",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 is the primary enabler of search-order hijacking (no full path = incorrect resolution), yet the technique only covers one narrow slice of the CWE's broader name/reference surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.009",
      "target_framework": "CWE",
      "target_id": "CWE-426",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-426 mostly enables T1574.009 because the untrusted search path weakness is the primary condition allowing higher-directory executable interception, while T1574.009 only partially exploits CWE-426 by covering solely the unquoted-path slice of that weakness's broader surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.009",
      "target_framework": "CWE",
      "target_id": "CWE-427",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 is the primary weakness enabling T1574.009's unquoted-path hijack, yet the technique only covers one narrow slice of CWE-427's broader search-path surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.010",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1220's overly-broad access controls are the primary reason service binaries can be overwritten, enabling T1574.010, yet the technique only touches the narrow file-permission slice of that weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.010",
      "target_framework": "CWE",
      "target_id": "CWE-1268",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1268 concerns inconsistent hardware-enforced control vs. data policies while T1574.010 targets OS file ACL weaknesses on service binaries, so neither enables nor exploits the other."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.010",
      "target_framework": "CWE",
      "target_id": "CWE-272",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-272 concerns failure to drop elevated privileges after privileged ops, while T1574.010 succeeds solely via weak filesystem ACLs on service binaries and does not rely on or target that privilege-management surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.010",
      "target_framework": "CWE",
      "target_id": "CWE-276",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-276's default permission flaw is the primary enabler for T1574.010's service-binary replacement, yet the technique only targets one narrow slice of the broad default-permission surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.010",
      "target_framework": "CWE",
      "target_id": "CWE-282",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper ownership can contribute to unauthorized binary replacement but is neither necessary nor the primary enabler of the described permission flaw; the technique targets a narrow permissions slice that only incidentally touches ownership management."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.010",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization is the root condition that permits binary replacement, yet T1574.010 only targets one narrow slice (service-binary file ACLs) of that broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.010",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 is the broad category that directly contains the service-binary permission failure enabling T1574.010, yet the technique only touches one narrow slice of all possible protection-mechanism failures."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.010",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 is the sole enabler of T1574.010 (technique cannot succeed without the permission flaw), while T1574.010 covers only the narrow Windows-service-binary slice of CWE-732's broad surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1574.011",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is the root cause enabling T1574.011 by allowing unauthorized registry modification, while the technique only targets one narrow permissions surface among many possible access-control flaws."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1584.002",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables one vector for server compromise (e.g., unauthenticated updates) but is not required; T1584.002 covers many unrelated compromise methods and therefore only touches one slice of the weakness surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1584.002",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 is an input/validation flaw unrelated to initial server compromise; T1584.002 succeeds via unrelated vulns and never targets origin-validation surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1584.002",
      "target_framework": "CWE",
      "target_id": "CWE-348",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-348 describes a product flaw in source selection; T1584.002 is adversary infrastructure compromise that may later feed false data to such a flawed product but is not enabled by it."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1584.002",
      "target_framework": "CWE",
      "target_id": "CWE-350",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Compromising DNS servers can alter PTR records to abuse CWE-350, but covers only one of many exploitation vectors and does not rely on the weakness itself."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1590",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables T1590 only partially (recon succeeds via scanning without exposure); T1590 exploits CWE-200 only partially (network exposure is one narrow slice of its broad recon surface)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1592",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables T1592 only partially because host data can still be gathered via active scanning without any exposure; T1592 exploits CWE-200 only partially because it targets one narrow slice (host configuration) of the broad sensitive-information surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1592.002",
      "target_framework": "CWE",
      "target_id": "CWE-204",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-204 enables T1592.002 only partially (banners and port data suffice without discrepancies); T1592.002 exploits CWE-204 only partially (technique focuses on explicit disclosures, hitting discrepancy surface narrowly)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1592.002",
      "target_framework": "CWE",
      "target_id": "CWE-205",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-205 enables T1592.002 only partially because software fingerprinting succeeds via banners/ports without behavioral discrepancies; T1592.002 exploits CWE-205 only partially as it covers one narrow reconnaissance slice among many possible weakness manifestations."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1592.002",
      "target_framework": "CWE",
      "target_id": "CWE-208",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-208 timing leaks do not enable software-version reconnaissance, and T1592.002 banner/port collection does not target timing surfaces."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1595",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Active scanning gathers many infrastructure details without needing sensitive-info exposure, while the technique only touches one narrow slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1598",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 mostly enables T1598 because UI misrepresentation is a primary vector for successful phishing lures, while T1598 exploits the weakness only partially since phishing can also rely on non-UI social engineering."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1598.001",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can facilitate T1598.001 via spoofed interfaces but is neither required nor the primary enabler for service-based info elicitation; conversely the technique only touches narrow UI-focused slices of the broad misrepresentation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1598.002",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 can aid T1598.002 success via spoofed UI cues but is not required; the technique only touches one narrow slice of the broad UI-misrepresentation surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1598.003",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 is a primary enabler for convincing spearphishing links via spoofed UI elements, though the technique can still succeed via pure social engineering; T1598.003 only targets the narrow link/UI slice of the broad CWE-451 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1600",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-757 directly enables T1600 by permitting downgrade to weak algorithms during negotiation (primary path for weakening), while T1600 only partially exploits it since weakening can also occur via config changes, firmware mods or other CWEs."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1602",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 mostly enables T1602 by directly exposing configuration files to external collection, while T1602 exploits CWE-552 only partially by targeting one narrow slice of its broad file-exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1606",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Session fixation enables use of a pre-known valid ID after auth, whereas T1606 centers on generating new forged tokens/cookies unrelated to fixation mechanics."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1606",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables T1606 mostly because proper lifetime control (issuance/validation/expiry) would normally prevent forged credentials from being accepted, while T1606 exploits only the credential-specific slice of the broad CWE-664 surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1606.001",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CWE-359 describes improper protection of personal data; T1606.001 forges cookies for session access and does not rely on or primarily exploit that exposure weakness."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1611",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 is the primary enabler of container escapes (T1611) via failed isolation, yet T1611 only covers one narrow slice of the broad protection-mechanism surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1614",
      "target_framework": "CWE",
      "target_id": "CWE-497",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-497 can expose location-related system data (timezone, locale) that aids T1614, but T1614 succeeds via many other channels; conversely T1614 only touches one narrow slice of the broad sensitive-info surface CWE-497 describes."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1615",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 mostly enables T1615 by allowing unauthorized access to GPO files in SYSVOL; T1615 exploits only the narrow GPO slice of CWE-200's broad exposure surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1620",
      "target_framework": "CWE",
      "target_id": "CWE-114",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-114's lack of control over loaded code directly enables in-memory reflective payloads (mostly), while T1620 only covers the narrow reflective/in-memory slice of that broad weakness surface (partial)."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1620",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 can supply an untrusted payload that an adversary then loads reflectively, but T1620 succeeds via many other vectors and only touches one narrow slice of the broad inclusion surface."
    },
    {
      "source_framework": "MITRE_ATTACK",
      "source_id": "T1647",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 is the primary enabler for unauthorized plist modification, yet T1647 only targets one narrow slice of the broad configuration-control surface."
    }
  ]
}