Skip to content

Hide Navigation Hide TOC

Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b)

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023) Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261) mitre-tool 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set SIM Card Swap - T1451 (a64a820a-cb21-471f-920c-506a2ff04fa5) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Cloud Infrastructure Discovery - T1580 (57a3d31a-d04f-4663-b2da-7df8ec3f8c9d) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Conditional Access Policies - T1556.009 (ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906) mitre-tool 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Cloud Service Dashboard - T1538 (e49920b0-6c54-40c1-9571-73723653205f) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 1
Scattered Spider - G1015 (44d37b89-a739-4810-9111-0d2617a8939b) Intrusion Set Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool 1
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261) mitre-tool 2
ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261) mitre-tool Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261) mitre-tool Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern 2
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 2
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware 2
Raccoon Stealer - S1148 (b5a8fb8b-4ff1-43e5-a1ad-75ae565f5175) Malware Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 2
Email Hiding Rules - T1564.008 (0cf55441-b176-4332-89e7-2c4c7799d0ff) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware 2
BlackCat - S1068 (50c44c34-3abb-48ae-9433-a2337de5b0bc) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
WarzoneRAT - S0670 (fde19a18-e502-467f-be14-58c71b4e7f4b) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 2
Conditional Access Policies - T1556.009 (ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289) Attack Pattern 2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 2
ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906) mitre-tool Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906) mitre-tool Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 2
ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906) mitre-tool Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906) mitre-tool Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern 2
ngrok - S0508 (2f7f03bb-f367-4a5a-ad9b-310a12a48906) mitre-tool Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern 2
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 2
Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 2
Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 3
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern 3
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 3
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern 3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 3