FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966)	mitre-tool	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
FrameworkPOS - S0503 (1cdbbcab-903a-414d-8eb0-439a97343737)	Malware	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
LockerGoga - S0372 (5af7a825-2d9f-400d-931a-e00eb9e27f48)	Malware	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
FIN6 (647894f6-1723-4cba-aba4-0ef0966d5302)	Threat Actor	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	FIN6 - G0037 (2a7914cf-dff3-428d-ab0f-1014d1c28aeb)	Intrusion Set	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
More_eggs - S0284 (bfd2738c-8b43-43c3-bc9f-d523c8e88bf4)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	FrameworkPOS - S0503 (1cdbbcab-903a-414d-8eb0-439a97343737)	Malware	2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	FrameworkPOS - S0503 (1cdbbcab-903a-414d-8eb0-439a97343737)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	FrameworkPOS - S0503 (1cdbbcab-903a-414d-8eb0-439a97343737)	Malware	2
FrameworkPOS - S0503 (1cdbbcab-903a-414d-8eb0-439a97343737)	Malware	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	FrameworkPOS - S0503 (1cdbbcab-903a-414d-8eb0-439a97343737)	Malware	2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3)	Attack Pattern	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d)	Attack Pattern	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367)	Tool	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	2
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	GrimAgent - S0632 (c9b99d03-ff11-4a48-95f0-82660d582c25)	Malware	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1)	Attack Pattern	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	2
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	LockerGoga - S0372 (5af7a825-2d9f-400d-931a-e00eb9e27f48)	Malware	2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	LockerGoga - S0372 (5af7a825-2d9f-400d-931a-e00eb9e27f48)	Malware	2
LockerGoga - S0372 (5af7a825-2d9f-400d-931a-e00eb9e27f48)	Malware	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	2
LockerGoga - S0372 (5af7a825-2d9f-400d-931a-e00eb9e27f48)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
LockerGoga - S0372 (5af7a825-2d9f-400d-931a-e00eb9e27f48)	Malware	Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0)	Attack Pattern	2
LockerGoga - S0372 (5af7a825-2d9f-400d-931a-e00eb9e27f48)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
LockerGoga - S0372 (5af7a825-2d9f-400d-931a-e00eb9e27f48)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
FlawedAmmyy - S0381 (432555de-63bf-4f2a-a3fa-f720a4561078)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
FrameworkPOS - S0503 (1cdbbcab-903a-414d-8eb0-439a97343737)	Malware	FIN6 (647894f6-1723-4cba-aba4-0ef0966d5302)	Threat Actor	2
FIN6 (647894f6-1723-4cba-aba4-0ef0966d5302)	Threat Actor	Camouflage Tempest (3126bd2c-3d04-5174-ad03-40136b94f574)	Microsoft Activity Group actor	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Ryuk - S0446 (a020a61c-423f-4195-8c46-ba1d21abba37)	Malware	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	2
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Maze - S0449 (d9f7383c-95ec-4080-bbce-121c9384457b)	Malware	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	3
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	3
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	3
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1)	Attack Pattern	3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	3
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	3
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	3
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	3