EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Search Closed Sources - T1597 (a51eb150-93b1-484b-a503-e51453b127a4)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26)	Attack Pattern	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	2
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	2
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	3