BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af)

Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af)	Microsoft Activity Group actor	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	1
Speculoos (201e8794-a93b-476f-9436-1dd859c6e5d9)	Backdoor	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	Brass Typhoon (2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5)	Microsoft Activity Group actor	2
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	LEAD (f542442e-ba0f-425d-b386-6c10351a468e)	Microsoft Activity Group actor	2
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	4
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	4
Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1)	Malpedia	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c)	Tool	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	4
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	4
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Build social network persona - T1341 (9108e212-1c94-4f8d-be76-1aad9b4c86a4)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Develop social network persona digital footprint - T1342 (271e6d40-e191-421a-8f87-a8102452c201)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	5
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	5
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	5
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	5
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	5
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	5
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	5
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	5
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	5
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	5
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	5
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	5
Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1)	Malpedia	Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c)	Tool	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	5
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	5
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	5
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	5
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81)	Attack Pattern	5
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f)	Tool	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	5
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	5
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6)	Tool	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d)	Malpedia	5
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f)	Malpedia	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	5
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3)	Attack Pattern	5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	5
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5)	Malpedia	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	5
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c)	Tool	5
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	5
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	5
Obfuscate infrastructure - T1309 (e6ca2820-a564-4b74-b42a-b6bdf052e5b6)	Attack Pattern	Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39)	Attack Pattern	5
Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	6
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	6
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	6
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	6
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	6
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	6
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	6
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	6
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	6
Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6)	Tool	HiKit (35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1)	Malpedia	6
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	6
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d)	Malpedia	Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	6
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f)	Malpedia	Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	6
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	6
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	6
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5)	Malpedia	Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c)	Tool	6
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	6
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	6
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	6
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	6
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	6
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	7
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	7
Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	7
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	8
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	8