UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.(Citation: Mandiant Fortinet Zero Day)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Search Threat Vendor Data - T1681 (63b24abc-5702-4745-b1e4-ac70b20a43f2)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)	Malware	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Virtual Machine Discovery - T1673 (6bc7f9aa-b91f-4b23-84b8-5e756eba68eb)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Exploitation for Credential Access - T1212 (9c306d8d-cde7-4b4c-b6e8-d0bb16caca36)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
ESXi Administration Command - T1675 (31e5011f-090e-45be-9bb6-17a1c5e8219b)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
MEDUSA - S1220 (0a615414-1dad-4131-802d-38f5d72ef852)	Malware	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Exploits - T1587.004 (bbc3cba7-84ae-410d-b18b-16750731dfa2)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Digital Certificates - T1588.004 (19401639-28d0-4c3c-adcc-bc2ba22f6421)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
THINCRUST - S1223 (351b63d3-7b2c-4ede-b3fe-ff291527b397)	Malware	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	UNC3886 - G1048 (461b8e25-8f4a-4ea2-a4a8-e39df7ce6630)	Intrusion Set	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	2
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	2
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	2
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
CASTLETAP - S1224 (15c7bcdb-23e1-4ce3-81a7-b109b4d2a4f1)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
ESXi Administration Command - T1675 (31e5011f-090e-45be-9bb6-17a1c5e8219b)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	2
VIRTUALPITA - S1217 (df0b59fe-0193-49ea-84e1-9207139c716c)	Malware	Virtual Machine Discovery - T1673 (6bc7f9aa-b91f-4b23-84b8-5e756eba68eb)	Attack Pattern	2
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)	Malware	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	2
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)	Malware	Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)	Malware	2
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5)	Attack Pattern	VIRTUALPIE - S1218 (7cc63f0f-f24f-4cda-9e9f-61bde1d52297)	Malware	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	2
REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6)	Attack Pattern	2
REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	2
REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	2
REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	Udev Rules - T1546.017 (f4c3f644-ab33-433d-8648-75cc03a95792)	Attack Pattern	2
REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba)	Attack Pattern	2
REPTILE - S1219 (4ea492ee-36f8-4017-938f-d01ce951ef94)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	MEDUSA - S1220 (0a615414-1dad-4131-802d-38f5d72ef852)	Malware	2
MEDUSA - S1220 (0a615414-1dad-4131-802d-38f5d72ef852)	Malware	SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8)	Attack Pattern	2
MEDUSA - S1220 (0a615414-1dad-4131-802d-38f5d72ef852)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
MEDUSA - S1220 (0a615414-1dad-4131-802d-38f5d72ef852)	Malware	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Exploits - T1587.004 (bbc3cba7-84ae-410d-b18b-16750731dfa2)	Attack Pattern	2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	2
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	2
MOPSLED - S1221 (bfcb4a75-b6f0-489b-b506-836bfba3d70e)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Hypervisor CLI - T1059.012 (d2d642da-61ff-4211-b4df-7923c9ca220c)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Digital Certificates - T1588.004 (19401639-28d0-4c3c-adcc-bc2ba22f6421)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	2
RIFLESPINE - S1222 (d0270367-37fc-471e-9206-483582c5f47d)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	vSphere Installation Bundles - T1505.006 (f8ba7d61-11c5-4130-bafd-7c3ff5fbf4b5)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	THINCRUST - S1223 (351b63d3-7b2c-4ede-b3fe-ff291527b397)	Malware	2
THINCRUST - S1223 (351b63d3-7b2c-4ede-b3fe-ff291527b397)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	THINCRUST - S1223 (351b63d3-7b2c-4ede-b3fe-ff291527b397)	Malware	2
THINCRUST - S1223 (351b63d3-7b2c-4ede-b3fe-ff291527b397)	Malware	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
THINCRUST - S1223 (351b63d3-7b2c-4ede-b3fe-ff291527b397)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520)	Attack Pattern	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	3
Udev Rules - T1546.017 (f4c3f644-ab33-433d-8648-75cc03a95792)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Launch Daemon - T1543.004 (573ad264-1371-4ae0-8482-d2673b719dba)	Attack Pattern	3
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	3
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	3