Skip to content

Hide Navigation Hide TOC

LEAD (f542442e-ba0f-425d-b386-6c10351a468e)

In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.

Cluster A Galaxy A Cluster B Galaxy B Level
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor LEAD (f542442e-ba0f-425d-b386-6c10351a468e) Microsoft Activity Group actor 1
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor Brass Typhoon (2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5) Microsoft Activity Group actor 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor Speculoos (201e8794-a93b-476f-9436-1dd859c6e5d9) Backdoor 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af) Microsoft Activity Group actor 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 3
Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c) Tool Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1) Malpedia Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 4
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 4
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 4
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 4
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 4
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern 4
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 4
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 4
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
Develop social network persona digital footprint - T1342 (271e6d40-e191-421a-8f87-a8102452c201) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
Build social network persona - T1341 (9108e212-1c94-4f8d-be76-1aad9b4c86a4) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c) Tool Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1) Malpedia 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 5
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 5
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 5
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 5
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 5
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 5
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern 5
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 5
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 5
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 5
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 5
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 5
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 5
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 5
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 5
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 5
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 5
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern 5
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 5
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 5
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 5
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 5
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 5
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 5
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6) Tool Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 5
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5) Malpedia Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c) Tool Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39) Attack Pattern Obfuscate infrastructure - T1309 (e6ca2820-a564-4b74-b42a-b6bdf052e5b6) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 6
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 6
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 6
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 6
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia 6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 6
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 6
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 6
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 6
HiKit (35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1) Malpedia Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6) Tool 6
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 6
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 6
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 6
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 6
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 6
Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c) Tool Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5) Malpedia 6
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 6
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3) RAT APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor 7
Torn RAT (32a67552-3b31-47bb-8098-078099bbc813) Tool APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor 7
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f) Tool APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor 7
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3) RAT Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738) Malpedia 8
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f) Tool APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc) Threat Actor 8