Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)

Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, Scattered Spider has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Cloud Service Dashboard - T1538 (e49920b0-6c54-40c1-9571-73723653205f)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Conditional Access Policies - T1556.009 (ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906)	mitre-tool	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Cloud Infrastructure Discovery - T1580 (57a3d31a-d04f-4663-b2da-7df8ec3f8c9d)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0)	Attack Pattern	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)	Intrusion Set	Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc)	Attack Pattern	1
Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	2
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	2
Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	2
Conditional Access Policies - T1556.009 (ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	2
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3)	Attack Pattern	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e)	Attack Pattern	2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90)	Attack Pattern	Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c)	Attack Pattern	2
Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289)	Attack Pattern	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc)	Malware	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906)	mitre-tool	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906)	mitre-tool	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906)	mitre-tool	2
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906)	mitre-tool	2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906)	mitre-tool	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b)	Malware	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	2
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	3
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	3
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b)	Attack Pattern	Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103)	Attack Pattern	3
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	3