Skip to content

Hide Navigation Hide TOC

Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader Lazarus Group umbrella rather than tracking separate subgroup or cluster distinctions.

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)

In 2023, Kimsuky was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)

Cluster A Galaxy A Cluster B Galaxy B Level
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Search Open Technical Databases - T1596 (55fc4df0-b42c-479a-b860-7a6761bcaad0) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 1
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 1
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern 1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 1
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 1
Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern 1
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 1
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 1
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern 1
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 1
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 2
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern 2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware 2
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 2
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern 2
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern 2
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 2
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 2
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 2
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 2
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 3
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 3
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool 3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 3
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 3
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 3