Skip to content

Hide Navigation Hide TOC

APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80)

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
AppInit DLLs - T1546.010 (cc89ecbd-3d33-4a41-bcca-001e702d18fd) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
ftp - S0095 (cf23bf4a-e003-4116-bbae-1ea6c558d565) mitre-tool APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
ASPXSpy - S0073 (56f46b17-8cfa-46c0-b501-dd52fef394e2) Malware APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
pwdump - S0006 (9de2308e-7bed-43a3-8e58-f194b3586700) mitre-tool APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern APT39 - G0087 (44e43fad-ffcb-4210-abcf-eaaed9735f80) Intrusion Set 1
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware 2
MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware 2
MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
MechaFlounder - S0459 (dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern AppInit DLLs - T1546.010 (cc89ecbd-3d33-4a41-bcca-001e702d18fd) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool 2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
ftp - S0095 (cf23bf4a-e003-4116-bbae-1ea6c558d565) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
ftp - S0095 (cf23bf4a-e003-4116-bbae-1ea6c558d565) mitre-tool Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 2
ftp - S0095 (cf23bf4a-e003-4116-bbae-1ea6c558d565) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware 2
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware 2
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware 2
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern Cadelspy - S0454 (a705b085-1eae-455e-8f4d-842483d814eb) Malware 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern ASPXSpy - S0073 (56f46b17-8cfa-46c0-b501-dd52fef394e2) Malware 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool 2
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 2
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern pwdump - S0006 (9de2308e-7bed-43a3-8e58-f194b3586700) mitre-tool 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Remexi - S0375 (ecc2f65a-b452-4eaf-9689-7e181f17f7a5) Malware 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern 3
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool 3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 3
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern 3