Hide Navigation Hide TOC

EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Search Closed Sources - T1597 (a51eb150-93b1-484b-a503-e51453b127a4)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	1
EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26)	Attack Pattern	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	1
EXOTIC LILY - G1011 (129f2f77-1ab2-4c35-bd5e-21260cee92af)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	2
Bumblebee - S1039 (04378e79-4387-468a-a8f7-f974b8254e44)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Bazar - S0534 (99fdf3b4-96ef-4ab9-b191-fc683441cad0)	Malware	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	2
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Odbcconf - T1218.008 (6e3bd510-6b33-41a4-af80-2d80f3ee0071)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	3
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3