Skip to content

Hide Navigation Hide TOC

Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2)

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023). The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.(Citation: DOJ KVBotnet 2024).

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. (Citation: Dragos 2025 Year in Review)

Cluster A Galaxy A Cluster B Galaxy B Level
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 1
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Exploits - T1587.004 (bbc3cba7-84ae-410d-b18b-16750731dfa2) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Vulnerabilities - T1588.006 (2b5aa86b-a0df-4382-848d-30abea443327) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set netstat - S0104 (4664b683-f578-434f-919b-1c1aad2a1111) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 1
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e) mitre-tool Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set netsh - S0108 (5a63f900-5e7e-4928-a746-dd4558e1df71) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 1
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Systeminfo - S0096 (7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1) mitre-tool Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Network Security Appliances - T1590.006 (6c2957f9-502a-478c-b1dd-d626c0659413) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Network Devices - T1584.008 (149b477f-f364-4824-b1b5-aa1d56115869) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 1
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Scan Databases - T1596.005 (ec4be82f-940c-4dcb-87fe-2bbdd17c692f) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109) Attack Pattern 1
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Wevtutil - S0645 (f91162cc-1686-4ff8-8115-bf3f61a4cc7a) mitre-tool Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Network Topology - T1590.004 (34ab90a3-05f6-4259-8f21-621081fdaba5) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Gather Victim Host Information - T1592 (09312b1a-c3c6-4b45-9844-3ccc78e5d82f) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Virtual Private Server - T1584.003 (39cc9f64-cf74-4a48-a4d8-fe98c54a02e0) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 1
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Identify Roles - T1591.004 (cc723aff-ec88-40e3-a224-5af9fd983cc4) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26) Attack Pattern 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
Volt Typhoon - G1017 (174279b4-399f-4ddb-966e-5efedd1dd5f2) Intrusion Set Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern 2
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Exploits - T1587.004 (bbc3cba7-84ae-410d-b18b-16750731dfa2) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Vulnerabilities - T1588.006 (2b5aa86b-a0df-4382-848d-30abea443327) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern netstat - S0104 (4664b683-f578-434f-919b-1c1aad2a1111) mitre-tool 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e) mitre-tool File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
cmd - S0106 (bba595da-b73a-4354-aa6c-224d4de7cb4e) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern netsh - S0108 (5a63f900-5e7e-4928-a746-dd4558e1df71) mitre-tool 2
netsh - S0108 (5a63f900-5e7e-4928-a746-dd4558e1df71) mitre-tool Netsh Helper DLL - T1546.007 (f63fe421-b1d1-45c0-b8a7-02cd16ff2bed) Attack Pattern 2
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern netsh - S0108 (5a63f900-5e7e-4928-a746-dd4558e1df71) mitre-tool 2
netsh - S0108 (5a63f900-5e7e-4928-a746-dd4558e1df71) mitre-tool Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 2
Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f) mitre-tool 2
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f) mitre-tool Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f) mitre-tool Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Systeminfo - S0096 (7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Network Security Appliances - T1590.006 (6c2957f9-502a-478c-b1dd-d626c0659413) Attack Pattern Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109) Attack Pattern 2
Network Devices - T1584.008 (149b477f-f364-4824-b1b5-aa1d56115869) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Scan Databases - T1596.005 (ec4be82f-940c-4dcb-87fe-2bbdd17c692f) Attack Pattern Search Open Technical Databases - T1596 (55fc4df0-b42c-479a-b860-7a6761bcaad0) Attack Pattern 2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 2
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2
Wevtutil - S0645 (f91162cc-1686-4ff8-8115-bf3f61a4cc7a) mitre-tool Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern 2
Wevtutil - S0645 (f91162cc-1686-4ff8-8115-bf3f61a4cc7a) mitre-tool Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern 2
Wevtutil - S0645 (f91162cc-1686-4ff8-8115-bf3f61a4cc7a) mitre-tool Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool 2
FRP - S1144 (36dd807e-b5bc-4c3e-91ed-80682360148c) mitre-tool Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2
Network Topology - T1590.004 (34ab90a3-05f6-4259-8f21-621081fdaba5) Attack Pattern Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 2
Virtual Private Server - T1584.003 (39cc9f64-cf74-4a48-a4d8-fe98c54a02e0) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware 2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware 2
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware 2
VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
VersaMem - S1154 (0a6ec267-83a9-41a5-98c7-57c3ff81e11f) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern Identify Roles - T1591.004 (cc723aff-ec88-40e3-a224-5af9fd983cc4) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 3
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 3
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Netsh Helper DLL - T1546.007 (f63fe421-b1d1-45c0-b8a7-02cd16ff2bed) Attack Pattern 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 3
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 3
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 3
Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3