Skip to content

Hide Navigation Hide TOC

Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

In 2023, Kimsuky has used commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)

Cluster A Galaxy A Cluster B Galaxy B Level
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Search Open Technical Databases - T1596 (55fc4df0-b42c-479a-b860-7a6761bcaad0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 2
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware 2
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern 2
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 2
Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 2
schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern 3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 3