Skip to content

Hide Navigation Hide TOC

Speculoos (201e8794-a93b-476f-9436-1dd859c6e5d9)

FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

Cluster A Galaxy A Cluster B Galaxy B Level
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor Speculoos (201e8794-a93b-476f-9436-1dd859c6e5d9) Backdoor 1
BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af) Microsoft Activity Group actor APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor 2
Brass Typhoon (2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5) Microsoft Activity Group actor APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor LEAD (f542442e-ba0f-425d-b386-6c10351a468e) Microsoft Activity Group actor 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 2
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor 3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor 3
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor 3
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 4
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set Build social network persona - T1341 (9108e212-1c94-4f8d-be76-1aad9b4c86a4) Attack Pattern 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
Develop social network persona digital footprint - T1342 (271e6d40-e191-421a-8f87-a8102452c201) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1) Malpedia Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c) Tool Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39) Attack Pattern Obfuscate infrastructure - T1309 (e6ca2820-a564-4b74-b42a-b6bdf052e5b6) Attack Pattern 5
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 5
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern 5
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 5
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 5
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6) Tool 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern 5
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 5
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 5
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 5
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5) Malpedia Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 5
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 5
Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c) Tool Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 5
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 5
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 5
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 5
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 5
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 5
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 5
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 5
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 5
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 5
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 5
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 5
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 5
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 5
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 5
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 5
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 5
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 5
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 5
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 5
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 5
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 5
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 5
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 5
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 5
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 5
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 5
Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c) Tool Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1) Malpedia 5
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 6
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 6
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 6
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 6
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 6
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 6
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 6
HiKit (35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1) Malpedia Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6) Tool 6
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern 6
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern 6
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 6
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 6
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 6
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 6
Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c) Tool Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5) Malpedia 6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern 6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia 6
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 6
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 6
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor Torn RAT (32a67552-3b31-47bb-8098-078099bbc813) Tool 7
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3) RAT 7
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f) Tool 7
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3) RAT Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738) Malpedia 8
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc) Threat Actor Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f) Tool 8