FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf)	mitre-tool	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47)	mitre-tool	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	FIN8 (a78ae9fe-71cd-4563-9213-7b6260bd9a73)	Threat Actor	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	PUNCHTRACK - S0197 (c4de7d83-e875-4c88-8b5d-06c41e5b7e79)	Malware	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe)	mitre-tool	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf)	mitre-tool	2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47)	mitre-tool	2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	2
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d)	Attack Pattern	Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
Ragnar Locker (e69f9836-873a-43d3-92a8-97ab783a4171)	Ransomware	Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb)	Malware	Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	PUNCHTRACK - S0197 (c4de7d83-e875-4c88-8b5d-06c41e5b7e79)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PUNCHTRACK - S0197 (c4de7d83-e875-4c88-8b5d-06c41e5b7e79)	Malware	2
PUNCHTRACK - S0197 (c4de7d83-e875-4c88-8b5d-06c41e5b7e79)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe)	mitre-tool	2
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe)	mitre-tool	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe)	mitre-tool	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe)	mitre-tool	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367)	Tool	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6)	Attack Pattern	3
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d)	Attack Pattern	3
Ragnar Locker (e69f9836-873a-43d3-92a8-97ab783a4171)	Ransomware	Private Cluster (5d999c23-11cf-4dee-84bb-f447a4f70dc8)	Unknown	3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1)	Attack Pattern	3
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	3
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	3
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	3