Hide Navigation Hide TOC

Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)

Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	SEO Poisoning - T1608.006 (e5d550f3-2202-4634-85f2-4a200a1d49b3)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Drive-by Target - T1608.004 (31fe0ba2-62fd-4fd9-9293-4043d84f7fe9)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Malvertising - T1583.008 (155207c0-7f53-4f13-a06b-0a9907ef5096)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Mustard Tempest - G1020 (0d4ac089-ced4-4cc4-a989-174d08e6d030)	Intrusion Set	Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	1
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
SocGholish - S1124 (5911d2ca-64f6-49b3-b94f-29b5d185085c)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	SEO Poisoning - T1608.006 (e5d550f3-2202-4634-85f2-4a200a1d49b3)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Drive-by Target - T1608.004 (31fe0ba2-62fd-4fd9-9293-4043d84f7fe9)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Malvertising - T1583.008 (155207c0-7f53-4f13-a06b-0a9907ef5096)	Attack Pattern	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	3
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	3