GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.(Citation: Cybereason Soft Cell June 2019) Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
HTRAN - S0040 (d5e96a35-7b0b-4c6a-9533-d63ecbda563e)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
at - S0110 (0c8465c0-d0b4-4670-992e-4eee8d7ff952)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e)	mitre-tool	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	GALLIUM - G0093 (06a11b7e-2a36-47fe-8d3e-82c265df3258)	Intrusion Set	1
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367)	Tool	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	PingPull - S1031 (3a0f6128-0a01-421d-8eca-e57d8671b1f1)	Malware	2
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f)	mitre-tool	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f)	mitre-tool	2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f)	mitre-tool	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	2
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	HTRAN - S0040 (d5e96a35-7b0b-4c6a-9533-d63ecbda563e)	mitre-tool	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	HTRAN - S0040 (d5e96a35-7b0b-4c6a-9533-d63ecbda563e)	mitre-tool	2
HTran (3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8)	Malpedia	HTRAN - S0040 (d5e96a35-7b0b-4c6a-9533-d63ecbda563e)	mitre-tool	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	HTRAN - S0040 (d5e96a35-7b0b-4c6a-9533-d63ecbda563e)	mitre-tool	2
BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	2
BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	2
BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	2
BlackMould - S0564 (63c4511b-2d6e-4bb2-b582-e2e99a8a467d)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
at - S0110 (0c8465c0-d0b4-4670-992e-4eee8d7ff952)	mitre-tool	At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0)	Attack Pattern	2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70)	Malware	Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e)	mitre-tool	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e)	mitre-tool	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e)	mitre-tool	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e)	mitre-tool	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e)	mitre-tool	2
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	3
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	3
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	3
MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	3
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	3
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	3
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	3
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119)	Attack Pattern	3
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	4
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	5
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	5