BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af)

Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af)	Microsoft Activity Group actor	1
Speculoos (201e8794-a93b-476f-9436-1dd859c6e5d9)	Backdoor	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
Brass Typhoon (2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5)	Microsoft Activity Group actor	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
LEAD (f542442e-ba0f-425d-b386-6c10351a468e)	Microsoft Activity Group actor	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	2
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	3
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	3
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	4
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	4
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c)	Tool	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1)	Malpedia	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	4
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Build social network persona - T1341 (9108e212-1c94-4f8d-be76-1aad9b4c86a4)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Develop social network persona digital footprint - T1342 (271e6d40-e191-421a-8f87-a8102452c201)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	5
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	5
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	5
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	5
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	5
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	5
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	5
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	5
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	5
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	5
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	5
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	5
Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c)	Tool	Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1)	Malpedia	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	5
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	5
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	5
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	5
DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	5
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	5
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	5
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	5
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	5
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f)	Tool	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	5
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	5
Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6)	Tool	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3)	Attack Pattern	Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	5
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f)	Malpedia	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d)	Malpedia	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	5
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c)	Tool	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5)	Malpedia	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	5
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	5
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	5
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	5
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39)	Attack Pattern	Obfuscate infrastructure - T1309 (e6ca2820-a564-4b74-b42a-b6bdf052e5b6)	Attack Pattern	5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	6
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	6
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	6
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	6
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	6
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	6
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	6
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	6
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	6
Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6)	Tool	HiKit (35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1)	Malpedia	6
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	6
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	6
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f)	Malpedia	Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	6
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d)	Malpedia	6
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5)	Malpedia	Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c)	Tool	6
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	6
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	6
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	6
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	6
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	6
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	6
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	6
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	6
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	6
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	7
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	7
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	7
Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	8
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	8