Hide Navigation Hide TOC

QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)

QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past. QUASARRAT is a publicly available Windows backdoor. It may visit a website, download, upload, and execute files. QUASARRAT may acquire system information, act as a remote desktop or shell, or remotely activate the webcam. The backdoor may also log keystrokes and steal passwords from commonly used browsers and FTP clients. QUASARRAT was originally named xRAT before it was renamed by the developers in August 2015. Availability: Public

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	1
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	1
Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	1
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	2
Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	2
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (860643d6-5693-4e4e-ad1f-56c49faa10a7)	Malpedia	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	RDP Wrapper (bea5f660-a106-4983-a11a-0e0b6ce348d2)	Tool	2
TightVNC (e596e014-c0b7-491a-afee-3588fbfc61c1)	Tool	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37)	Malpedia	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Emerald Sleet (44be06b1-e17a-5ea6-a0a2-067933a7af77)	Microsoft Activity Group actor	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	RevClient (cdd432b0-8899-4e7d-ad4a-b18741ade11d)	Tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	2
Kimsuky - APT-C-55 (84e18657-3995-5837-88f1-f823520382a8)	360.net Threat Actors	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	2
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	2
Chrome Remote Desktop (6583d982-a5cb-47e0-a3b0-bc18cadaeb53)	RAT	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	3
BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37)	Malpedia	BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	3
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04)	mitre-tool	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	3
Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	3
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	3
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	3
Search Open Technical Databases - T1596 (55fc4df0-b42c-479a-b860-7a6761bcaad0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	3
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387)	Malpedia	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367)	Tool	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	4
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	4
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	4
schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04)	mitre-tool	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	4
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	4
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	4
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961)	Attack Pattern	Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	4
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	4
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	4
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	4
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	4
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f)	Tool	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	4
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	4
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	4
Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968)	Attack Pattern	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	4
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	4
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	4
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a)	Attack Pattern	Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	4
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156)	Attack Pattern	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	4
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	4
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	4
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	4
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	4
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	4
Data Encrypted for Impact - T1471 (d9e88203-2b5d-405f-a406-2933b1e3d7e4)	Attack Pattern	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Endpoint Denial of Service - T1642 (eb6cf439-1bcb-4d10-bc68-1eed844ed7b3)	Attack Pattern	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	4
Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387)	Malpedia	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	4
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	5
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	5
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961)	Attack Pattern	5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	5
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	5
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	5
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	5
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	5
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	5
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	5
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	5
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	5
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	5
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	5
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	5
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	5
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	5
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	5
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	5
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	5
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	5
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	5