Skip to content

Hide Navigation Hide TOC

HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87)

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern 1
IP Addresses - T1590.005 (0dda99f0-4701-48ca-9774-8504922e92d3) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Tarrask - S1011 (988976ff-beeb-4fb5-b07d-ca7437ea66e8) Malware HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 1
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 1
Cloud Secrets Management Stores - T1555.006 (cfb525cc-5494-401d-a82b-2539ca46a561) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern 1
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
ASPXSpy - S0073 (56f46b17-8cfa-46c0-b501-dd52fef394e2) Malware HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Botnet - T1583.005 (31225cd3-cd46-4575-b287-c2c14011c074) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 1
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Client Configurations - T1592.004 (774ad5bb-2366-4c13-a8a9-65e50b292e7c) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
HAFNIUM - G0125 (2688b13e-8e71-405a-9c40-0dee94bddf87) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
IP Addresses - T1590.005 (0dda99f0-4701-48ca-9774-8504922e92d3) Attack Pattern Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109) Attack Pattern 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Tarrask - S1011 (988976ff-beeb-4fb5-b07d-ca7437ea66e8) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Tarrask - S1011 (988976ff-beeb-4fb5-b07d-ca7437ea66e8) Malware 2
Tarrask - S1011 (988976ff-beeb-4fb5-b07d-ca7437ea66e8) Malware Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 2
Tarrask - S1011 (988976ff-beeb-4fb5-b07d-ca7437ea66e8) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Tarrask - S1011 (988976ff-beeb-4fb5-b07d-ca7437ea66e8) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Tarrask - S1011 (988976ff-beeb-4fb5-b07d-ca7437ea66e8) Malware Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Tarrask - S1011 (988976ff-beeb-4fb5-b07d-ca7437ea66e8) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022) Attack Pattern 2
Cloud Secrets Management Stores - T1555.006 (cfb525cc-5494-401d-a82b-2539ca46a561) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware 2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
China Chopper - S0020 (5a3a31fe-5a8f-48e1-bff0-a753e5b1be70) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 2
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern ASPXSpy - S0073 (56f46b17-8cfa-46c0-b501-dd52fef394e2) Malware 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Botnet - T1583.005 (31225cd3-cd46-4575-b287-c2c14011c074) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 2
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern 2
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Gather Victim Host Information - T1592 (09312b1a-c3c6-4b45-9844-3ccc78e5d82f) Attack Pattern Client Configurations - T1592.004 (774ad5bb-2366-4c13-a8a9-65e50b292e7c) Attack Pattern 2
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 3