Skip to content

Hide Navigation Hide TOC

INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1)

INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.(Citation: Bleeping Computer INC Ransomware March 2024)(Citation: Cybereason INC Ransomware November 2023)(Citation: Secureworks GOLD IONIC April 2024)(Citation: SentinelOne INC Ransomware)

Cluster A Galaxy A Cluster B Galaxy B Level
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 1
Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Device Driver Discovery - T1652 (215d9700-5881-48b8-8265-6449dbb7195d) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool 2
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool 2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool 2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 3
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 3
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 3
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 3
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 3
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 3