Skip to content

Hide Navigation Hide TOC

Speculoos (201e8794-a93b-476f-9436-1dd859c6e5d9)

FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

Cluster A Galaxy A Cluster B Galaxy B Level
Speculoos (201e8794-a93b-476f-9436-1dd859c6e5d9) Backdoor APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor 1
Brass Typhoon (2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5) Microsoft Activity Group actor APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af) Microsoft Activity Group actor 2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 2
LEAD (f542442e-ba0f-425d-b386-6c10351a468e) Microsoft Activity Group actor APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor 2
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6) Threat Actor 2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff) Intrusion Set 3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb) Threat Actor APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 3
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20) Malware Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c) Tool 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1) Malpedia 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21) Malware Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 4
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern 4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973) Intrusion Set Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 4
Develop social network persona digital footprint - T1342 (271e6d40-e191-421a-8f87-a8102452c201) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set 4
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39) Attack Pattern 4
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae) Intrusion Set Build social network persona - T1341 (9108e212-1c94-4f8d-be76-1aad9b4c86a4) Attack Pattern 4
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 5
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 5
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 5
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 5
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 5
Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1) Malpedia Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c) Tool 5
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 5
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 5
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 5
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 5
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 5
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 5
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 5
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 5
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 5
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 5
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5) Malpedia Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c) Tool 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344) Malware 5
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia 5
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern 5
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 5
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 5
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 5
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235) Attack Pattern Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445) Malware 5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern 5
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 5
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 5
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 5
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 5
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c) Malware 5
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 5
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 5
gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 5
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 5
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 5
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f) Malware 5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern 5
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 5
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6) Tool Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61) Malware 5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware 5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 5
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware 5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43) Malware 5
Obfuscate infrastructure - T1309 (e6ca2820-a564-4b74-b42a-b6bdf052e5b6) Attack Pattern Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39) Attack Pattern 5
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5) Malpedia Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c) Tool 6
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 6
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 6
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool 6
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia 6
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia 6
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 6
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 6
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 6
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 6
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 6
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 6
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 6
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 6
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 6
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 6
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 6
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 6
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool 9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f) Malpedia 6
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703) Tool Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d) Malpedia 6
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern 6
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 6
HiKit (35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1) Malpedia Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6) Tool 6
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 6
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3) RAT APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor 7
Torn RAT (32a67552-3b31-47bb-8098-078099bbc813) Tool APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor 7
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f) Tool APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor 7
Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738) Malpedia Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3) RAT 8
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f) Tool APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc) Threat Actor 8