Hide Navigation Hide TOC

STRONTIUM (213cdde9-c11a-4ea9-8ce0-c868e9826fec)

STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	STRONTIUM (213cdde9-c11a-4ea9-8ce0-c868e9826fec)	Microsoft Activity Group actor	1
APT28 (5b4ee3ea-eee3-4c8e-8323-85ae32658754)	Threat Actor	STRONTIUM (213cdde9-c11a-4ea9-8ce0-c868e9826fec)	Microsoft Activity Group actor	1
奇幻熊 - APT-C-20 (3d9f700c-5eb5-5d36-a6e7-47b55f2844cd)	360.net Threat Actors	STRONTIUM (213cdde9-c11a-4ea9-8ce0-c868e9826fec)	Microsoft Activity Group actor	1
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	2
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Winexe - S0191 (96fd6cc4-a693-4118-83ec-619e5352d07d)	mitre-tool	2
DealersChoice - S0243 (8f460983-1bbb-4e7e-8094-f0b5e720f658)	Malware	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Exploitation for Defense Evasion - T1211 (fe926152-f431-4baf-956c-4ad3cb0bf23b)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	2
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Forfiles - S0193 (90ec2b22-7061-4469-b539-0989ec4f96c2)	mitre-tool	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	2
Responder - S0174 (a1dd2dbd-1550-44bf-abcc-1a4c52e97719)	mitre-tool	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	2
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Buy domain name - T1328 (45242287-2964-4a3e-9373-159fad4d8195)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	X-Agent for Android - S0314 (56660521-6db4-4e5a-a927-464f22954b7c)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	2
Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	奇幻熊 - APT-C-20 (3d9f700c-5eb5-5d36-a6e7-47b55f2844cd)	360.net Threat Actors	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c)	Attack Pattern	2
Credentials - T1589.001 (bc76d0a4-db11-4551-9ac4-01a469cfb161)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Wevtutil - S0645 (f91162cc-1686-4ff8-8115-bf3f61a4cc7a)	mitre-tool	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Downdelph - S0134 (08d20cd2-f084-45ee-8558-fa6ef5a18519)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	HIDEDRV - S0135 (e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4)	Malware	2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
OLDBAIT - S0138 (2dd34b01-6110-4aac-835d-b5e7b936b0be)	Malware	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	2
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Network Denial of Service - T1498 (d74c4a7e-ffbf-432f-9365-7ebf1f787cab)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Search Open Technical Databases - T1596 (55fc4df0-b42c-479a-b860-7a6761bcaad0)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	APT28 (5b4ee3ea-eee3-4c8e-8323-85ae32658754)	Threat Actor	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Obtain/re-use payloads - T1346 (27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768)	Attack Pattern	2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Wi-Fi Networks - T1669 (fde016f6-211a-41c8-a4ab-301f1e419c62)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	2
Evil Twin - T1557.004 (48b836c6-e4ca-435a-82a3-29c03e5b492e)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Network Devices - T1584.008 (149b477f-f364-4824-b1b5-aa1d56115869)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	cipher.exe - S1205 (da66959d-9875-4fde-bfed-11111a55895e)	mitre-tool	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	2
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	LoJax - S0397 (b865dded-0553-4962-a44b-6fe7863effed)	Malware	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	2
APT28 - G0007 (bef4c620-0787-42a8-a96d-b7eb6e85917c)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
APT28 (5b4ee3ea-eee3-4c8e-8323-85ae32658754)	Threat Actor	奇幻熊 - APT-C-20 (3d9f700c-5eb5-5d36-a6e7-47b55f2844cd)	360.net Threat Actors	2
APT28 (5b4ee3ea-eee3-4c8e-8323-85ae32658754)	Threat Actor	Forest Blizzard (8d84d7b0-7716-5ab3-a3a4-f373dd148347)	Microsoft Activity Group actor	2
奇幻熊 - APT-C-20 (3d9f700c-5eb5-5d36-a6e7-47b55f2844cd)	360.net Threat Actors	Forest Blizzard (8d84d7b0-7716-5ab3-a3a4-f373dd148347)	Microsoft Activity Group actor	2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	3
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	XTunnel (53089817-6d65-4802-a7d2-5ccc3d919b74)	Malpedia	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	X-Tunnel (6d180bd7-3c77-4faf-b98b-dc2ab5f49101)	Tool	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
XTunnel - S0117 (7343e208-7cab-45f2-a47b-41ba5e2f0fab)	Malware	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	3
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	3
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Fysbis - S0410 (50d6688b-0985-4f3d-8cbe-0c796b30703b)	Malware	XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Winexe (811bdec0-e236-48ae-b27c-1a8fe0bfc3a9)	Tool	Winexe - S0191 (96fd6cc4-a693-4118-83ec-619e5352d07d)	mitre-tool	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Winexe - S0191 (96fd6cc4-a693-4118-83ec-619e5352d07d)	mitre-tool	3
DealersChoice - S0243 (8f460983-1bbb-4e7e-8094-f0b5e720f658)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
DealersChoice - S0243 (8f460983-1bbb-4e7e-8094-f0b5e720f658)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
DealersChoice - S0243 (8f460983-1bbb-4e7e-8094-f0b5e720f658)	Malware	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	3
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	3
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Forfiles - S0193 (90ec2b22-7061-4469-b539-0989ec4f96c2)	mitre-tool	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Forfiles - S0193 (90ec2b22-7061-4469-b539-0989ec4f96c2)	mitre-tool	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
Forfiles - S0193 (90ec2b22-7061-4469-b539-0989ec4f96c2)	mitre-tool	Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e)	Attack Pattern	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef)	Attack Pattern	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	3
X-Agent (3e2c99f9-66cd-48be-86e9-d7c1c164d87c)	Tool	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	X-Agent (Android) (0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf)	Malpedia	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	CHOPSTICK (0a32ceea-fa66-47ab-8bde-150dbd6d2e40)	Tool	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	3
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	3
CHOPSTICK - S0023 (ccd61dfc-b03f-4689-8c18-7c97eab08472)	Malware	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	3
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	Responder - S0174 (a1dd2dbd-1550-44bf-abcc-1a4c52e97719)	mitre-tool	3
Responder - S0174 (a1dd2dbd-1550-44bf-abcc-1a4c52e97719)	mitre-tool	LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	3
Zebrocy - S0251 (a4f57468-fbd5-49e4-8476-52088220b92d)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	3
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a)	Attack Pattern	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	3
GAMEFISH (43cd8a09-9c80-48c8-9568-1992433af60a)	Tool	Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	Komplex (d26b5518-8d7f-41a6-b539-231e4962853e)	Malpedia	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Komplex - S0162 (f108215f-3487-489d-be8b-80e346d32518)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	X-Agent for Android - S0314 (56660521-6db4-4e5a-a927-464f22954b7c)	Malware	3
X-Agent (3e2c99f9-66cd-48be-86e9-d7c1c164d87c)	Tool	X-Agent for Android - S0314 (56660521-6db4-4e5a-a927-464f22954b7c)	Malware	3
X-Agent for Android - S0314 (56660521-6db4-4e5a-a927-464f22954b7c)	Malware	X-Agent (Android) (0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf)	Malpedia	3
X-Agent for Android - S0314 (56660521-6db4-4e5a-a927-464f22954b7c)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	3
X-Agent for Android - S0314 (56660521-6db4-4e5a-a927-464f22954b7c)	Malware	CHOPSTICK (0a32ceea-fa66-47ab-8bde-150dbd6d2e40)	Tool	3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6)	Attack Pattern	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	3
Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Drovorub - S0502 (99164b38-1775-40bc-b77b-a2373b14540a)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	3
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a)	Attack Pattern	Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	3
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	3
Credentials - T1589.001 (bc76d0a4-db11-4551-9ac4-01a469cfb161)	Attack Pattern	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Wevtutil - S0645 (f91162cc-1686-4ff8-8115-bf3f61a4cc7a)	mitre-tool	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Wevtutil - S0645 (f91162cc-1686-4ff8-8115-bf3f61a4cc7a)	mitre-tool	3
Wevtutil - S0645 (f91162cc-1686-4ff8-8115-bf3f61a4cc7a)	mitre-tool	Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Downdelph - S0134 (08d20cd2-f084-45ee-8558-fa6ef5a18519)	Malware	3
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	Downdelph - S0134 (08d20cd2-f084-45ee-8558-fa6ef5a18519)	Malware	3
Downdelph (837a295c-15ff-41c0-9b7e-5f2fb502b00a)	Tool	Downdelph - S0134 (08d20cd2-f084-45ee-8558-fa6ef5a18519)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Downdelph - S0134 (08d20cd2-f084-45ee-8558-fa6ef5a18519)	Malware	3
Downdelph - S0134 (08d20cd2-f084-45ee-8558-fa6ef5a18519)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Downdelph - S0134 (08d20cd2-f084-45ee-8558-fa6ef5a18519)	Malware	3
Downdelph (e6a077cb-42cc-4193-9006-9ceda8c0dff2)	Malpedia	Downdelph - S0134 (08d20cd2-f084-45ee-8558-fa6ef5a18519)	Malware	3
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba)	Attack Pattern	3
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Cannon - S0351 (d20b397a-ea47-48a9-b503-2e2a3551e11d)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	HIDEDRV - S0135 (e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4)	Malware	3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	HIDEDRV - S0135 (e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4)	Malware	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	USBStealer (44909efb-7cd3-42e3-b225-9f3e96b5f362)	Tool	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	3
USBStealer - S0136 (af2ad3b7-ab6a-4807-91fd-51bcaff9acbb)	Malware	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
CORESHELL - S0137 (60c18d06-7b91-4742-bae3-647845cd9d81)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
OLDBAIT - S0138 (2dd34b01-6110-4aac-835d-b5e7b936b0be)	Malware	OLDBAIT (6d1e2736-d363-49aa-9054-9c9e4ac0c520)	Tool	3
OLDBAIT - S0138 (2dd34b01-6110-4aac-835d-b5e7b936b0be)	Malware	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	3
OLDBAIT - S0138 (2dd34b01-6110-4aac-835d-b5e7b936b0be)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
OLDBAIT - S0138 (2dd34b01-6110-4aac-835d-b5e7b936b0be)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
OLDBAIT - S0138 (2dd34b01-6110-4aac-835d-b5e7b936b0be)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
OLDBAIT - S0138 (2dd34b01-6110-4aac-835d-b5e7b936b0be)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
OLDBAIT - S0138 (2dd34b01-6110-4aac-835d-b5e7b936b0be)	Malware	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Seduploader (6bd20349-1231-4aaa-ba2a-f4b09d3b344c)	Malpedia	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Komplex (d26b5518-8d7f-41a6-b539-231e4962853e)	Malpedia	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	GAMEFISH (43cd8a09-9c80-48c8-9568-1992433af60a)	Tool	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
JHUHUGIT - S0044 (8ae43c46-57ef-47d5-a77a-eebb35628db2)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Sedreco (21ab9e14-602a-4a76-a308-dbf5d6a91d75)	Malpedia	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
EVILTOSS (6374fc53-9a0d-41ba-b9cf-2a9765d69fbb)	Tool	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	ADVSTORESHELL - S0045 (fb575479-14ef-41e9-bfab-0b7cf10bec73)	Malware	3
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	3
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a)	Attack Pattern	Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	3
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	3
Evil Twin - T1557.004 (48b836c6-e4ca-435a-82a3-29c03e5b492e)	Attack Pattern	Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	3
reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Network Devices - T1584.008 (149b477f-f364-4824-b1b5-aa1d56115869)	Attack Pattern	Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119)	Attack Pattern	3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c)	Attack Pattern	3
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	cipher.exe - S1205 (da66959d-9875-4fde-bfed-11111a55895e)	mitre-tool	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	3
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	3
XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	3
XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	3
XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	3
XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
XAgentOSX - S0161 (59a97b15-8189-4d51-9404-e1ce8ea4a069)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	LoJax - S0397 (b865dded-0553-4962-a44b-6fe7863effed)	Malware	3
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	LoJax - S0397 (b865dded-0553-4962-a44b-6fe7863effed)	Malware	3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	LoJax - S0397 (b865dded-0553-4962-a44b-6fe7863effed)	Malware	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	LoJax - S0397 (b865dded-0553-4962-a44b-6fe7863effed)	Malware	3
System Firmware - T1542.001 (16ab6452-c3c1-497c-a47d-206018ca1ada)	Attack Pattern	LoJax - S0397 (b865dded-0553-4962-a44b-6fe7863effed)	Malware	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	4
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	4
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
XTunnel (53089817-6d65-4802-a7d2-5ccc3d919b74)	Malpedia	X-Tunnel (6d180bd7-3c77-4faf-b98b-dc2ab5f49101)	Tool	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	4
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	4
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	4
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	4
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	4
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	4
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	4
X-Agent (3e2c99f9-66cd-48be-86e9-d7c1c164d87c)	Tool	X-Agent (Android) (0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf)	Malpedia	4
X-Agent (3e2c99f9-66cd-48be-86e9-d7c1c164d87c)	Tool	CHOPSTICK (0a32ceea-fa66-47ab-8bde-150dbd6d2e40)	Tool	4
CHOPSTICK (0a32ceea-fa66-47ab-8bde-150dbd6d2e40)	Tool	X-Agent (Android) (0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf)	Malpedia	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	4
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	4
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	4
GAMEFISH (43cd8a09-9c80-48c8-9568-1992433af60a)	Tool	Private Cluster (75c79f95-4c84-4650-9158-510f0ce4831d)	Unknown	4
GAMEFISH (43cd8a09-9c80-48c8-9568-1992433af60a)	Tool	SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	4
GAMEFISH (43cd8a09-9c80-48c8-9568-1992433af60a)	Tool	Komplex (d26b5518-8d7f-41a6-b539-231e4962853e)	Malpedia	4
GAMEFISH (43cd8a09-9c80-48c8-9568-1992433af60a)	Tool	CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	4
GAMEFISH (43cd8a09-9c80-48c8-9568-1992433af60a)	Tool	Seduploader (6bd20349-1231-4aaa-ba2a-f4b09d3b344c)	Malpedia	4
Sofacy (df36267b-7267-4c23-a7a1-cf94ef1b3729)	Android	GAMEFISH (43cd8a09-9c80-48c8-9568-1992433af60a)	Tool	4
SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	Private Cluster (75c79f95-4c84-4650-9158-510f0ce4831d)	Unknown	4
Komplex (d26b5518-8d7f-41a6-b539-231e4962853e)	Malpedia	SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	4
CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	4
Seduploader (6bd20349-1231-4aaa-ba2a-f4b09d3b344c)	Malpedia	SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	4
Sofacy (df36267b-7267-4c23-a7a1-cf94ef1b3729)	Android	SOURFACE (1de47f51-1f20-403b-a2e1-5eaabe275faa)	Tool	4
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	4
CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	Komplex (d26b5518-8d7f-41a6-b539-231e4962853e)	Malpedia	4
CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	Private Cluster (75c79f95-4c84-4650-9158-510f0ce4831d)	Unknown	4
Seduploader (6bd20349-1231-4aaa-ba2a-f4b09d3b344c)	Malpedia	CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	4
Sofacy (df36267b-7267-4c23-a7a1-cf94ef1b3729)	Android	CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	4
CORESHELL (3948ce95-468e-4ce1-82b1-57439c6d6afd)	Tool	Coreshell (579cc23d-4ba4-419f-bf8a-f235ed33125e)	Malpedia	4
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6)	Attack Pattern	4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a)	Attack Pattern	4
Downdelph (837a295c-15ff-41c0-9b7e-5f2fb502b00a)	Tool	Downdelph (e6a077cb-42cc-4193-9006-9ceda8c0dff2)	Malpedia	4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	4
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549)	Attack Pattern	4
OLDBAIT (b79a6b61-f122-4823-a4ab-bbab89fcaf75)	Malpedia	OLDBAIT (6d1e2736-d363-49aa-9054-9c9e4ac0c520)	Tool	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	4
Sedreco (21ab9e14-602a-4a76-a308-dbf5d6a91d75)	Malpedia	EVILTOSS (6374fc53-9a0d-41ba-b9cf-2a9765d69fbb)	Tool	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	4
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	4
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	4
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	4
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	4
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	4
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	4
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	System Firmware - T1542.001 (16ab6452-c3c1-497c-a47d-206018ca1ada)	Attack Pattern	4