Skip to content

Hide Navigation Hide TOC

Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)

The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.

Data Collection Measures:

  • Windows:
    • Event ID 5156 – Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).
    • Sysmon Event ID 3 – Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.
  • Linux/macOS:
    • Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.
    • AuditD (connect syscall) - Logs TCP, UDP, and ICMP connections.
    • Zeek (conn.log) - Captures protocol, duration, and bytes transferred.
  • Cloud & Network Infrastructure:
    • AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.
    • Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.
  • Endpoint Detection & Response (EDR):
    • Detect anomalous network activity such as new C2 connections or data exfiltration attempts.
Cluster A Galaxy A Cluster B Galaxy B Level
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 1
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Wi-Fi Networks - T1669 (fde016f6-211a-41c8-a4ab-301f1e419c62) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Adversary-in-the-Middle - T1638 (08e22979-d320-48ed-8711-e7bf94aabb13) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern 1
Traffic Duplication - T1020.001 (7c46b364-8496-4234-8a56-f7e6727e21e1) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern 1
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e) Attack Pattern 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 1
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern 1
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component One-Way Communication - T1481.003 (d916f176-a1ca-4a78-9fdd-4058bc28162e) Attack Pattern 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component IDE Tunneling - T1219.001 (77e29a47-e263-4f11-8692-e5012f44dbac) Attack Pattern 1
Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 1
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 2
Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520) Attack Pattern Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 2
Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern 2
Traffic Duplication - T1020.001 (7c46b364-8496-4234-8a56-f7e6727e21e1) Attack Pattern Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Bandwidth Hijacking - T1496.002 (718cb208-6446-4572-a2f0-9c799c60091e) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 2
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern One-Way Communication - T1481.003 (d916f176-a1ca-4a78-9fdd-4058bc28162e) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern 2
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern IDE Tunneling - T1219.001 (77e29a47-e263-4f11-8692-e5012f44dbac) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern 2