Skip to content

Hide Navigation Hide TOC

GADOLINIUM (99e708f7-1c01-467d-b0da-f6cebd434abc)

GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods. Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.

Cluster A Galaxy A Cluster B Galaxy B Level
GADOLINIUM (99e708f7-1c01-467d-b0da-f6cebd434abc) Microsoft Activity Group actor APT40 (5b4b6980-3bc7-11e8-84d6-879aaac37dd9) Threat Actor 1
Gingham Typhoon (dbc45b46-5b64-50d4-b0f1-d7de888d4e85) Microsoft Activity Group actor APT40 (5b4b6980-3bc7-11e8-84d6-879aaac37dd9) Threat Actor 2
Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set APT40 (5b4b6980-3bc7-11e8-84d6-879aaac37dd9) Threat Actor 2
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Social Media Accounts - T1586.001 (274770e0-2612-4ccf-a678-ef8e7bad365d) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
at - S0110 (0c8465c0-d0b4-4670-992e-4eee8d7ff952) mitre-tool Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 3
Exploits - T1587.004 (bbc3cba7-84ae-410d-b18b-16750731dfa2) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern 3
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Network Devices - T1584.008 (149b477f-f364-4824-b1b5-aa1d56115869) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
HOMEFRY - S0232 (7451bcf9-e6e6-4a70-bc3d-1599173d0035) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Credentials - T1589.001 (bc76d0a4-db11-4551-9ac4-01a469cfb161) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set 3
Leviathan - G0065 (7113eaa5-ba79-4fb3-b68a-398ee9cd698e) Intrusion Set Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 3
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
AIRBREAK (fd419da6-5c0d-461e-96ee-64397efac63b) Malpedia Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware 4
Orz - S0229 (06d735e7-1db1-4dbe-ab4b-acbe419f902b) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
MURKYTOP - S0233 (049ff071-0b3c-4712-95d2-d21c6aa54501) Malware Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 4
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 4
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 4
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Social Media Accounts - T1586.001 (274770e0-2612-4ccf-a678-ef8e7bad365d) Attack Pattern 4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern 4
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 4
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
at - S0110 (0c8465c0-d0b4-4670-992e-4eee8d7ff952) mitre-tool At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern 4
Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 4
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 4
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 4
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 4
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 4
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Exploits - T1587.004 (bbc3cba7-84ae-410d-b18b-16750731dfa2) Attack Pattern 4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 4
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 4
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 4
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 4
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
Network Devices - T1584.008 (149b477f-f364-4824-b1b5-aa1d56115869) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 4
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 4
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4) Attack Pattern Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern 4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 4
Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 4
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 4
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 4
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 4
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 4
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 4
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 4
HOMEFRY - S0232 (7451bcf9-e6e6-4a70-bc3d-1599173d0035) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
HOMEFRY - S0232 (7451bcf9-e6e6-4a70-bc3d-1599173d0035) Malware OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 4
HOMEFRY - S0232 (7451bcf9-e6e6-4a70-bc3d-1599173d0035) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 4
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern Credentials - T1589.001 (bc76d0a4-db11-4551-9ac4-01a469cfb161) Attack Pattern 4
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 4
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 4
Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 4
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 4
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware 4
NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware NanHaiShu (7abd6950-7a07-4d9e-ade1-62414fa50619) Tool 4
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware 4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware 4
NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 4
NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware 4
NanHaiShu - S0228 (705f0783-5f7d-4491-b6b7-9628e6e006d2) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware 4
BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware 4
Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6) Attack Pattern BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware 4
BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern BADFLICK - S0642 (57d83eac-a2ea-42b0-a7b2-c80c55157790) Malware 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5) Malpedia Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c) Tool Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 5
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern 5
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 5
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 5
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 5
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 5
Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 5
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 5
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 5
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 5
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 5
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 5
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 5
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 5
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 5
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 5
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 5
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 5
Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 5
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 5
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 5
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 5
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 5
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 5
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 5
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 5
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 5
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 5
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 5
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 5
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 5
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 5
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 5
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 5
Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 5
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 5
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2) Attack Pattern 5
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern 5
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 5
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern 5
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 5
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 5
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 5
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 5
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 5
NanHaiShu (3e46af39-52e8-442f-aff1-38eeb90336fc) Malpedia NanHaiShu (7abd6950-7a07-4d9e-ade1-62414fa50619) Tool 5
Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 5
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 5
Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c) Tool Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5) Malpedia 5