Hide Navigation Hide TOC

BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Kivars - S0437 (b2d134a1-7bd5-4293-94d4-8fc978cb1cd7)	Malware	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Digital Certificates - T1588.004 (19401639-28d0-4c3c-adcc-bc2ba22f6421)	Attack Pattern	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	1
BlackTech - G0098 (6fe8a2a1-a1b0-4af8-953d-4babd329f8f8)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6)	Attack Pattern	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Waterbear - S0579 (f3f1fbed-7e29-49cb-8579-4a378f858deb)	Malware	2
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	2
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	2
PLEAD - S0435 (b57f419e-8b12-49d3-886b-145383725dcd)	Malware	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	2
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Flagpro - S0696 (592260fb-dd5c-4a30-8d99-106a0485be0d)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
TSCookie - S0436 (76ac7989-c5cc-42e2-93e3-d6c476f01ace)	Malware	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367)	Tool	2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Kivars - S0437 (b2d134a1-7bd5-4293-94d4-8fc978cb1cd7)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Kivars - S0437 (b2d134a1-7bd5-4293-94d4-8fc978cb1cd7)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
Kivars - S0437 (b2d134a1-7bd5-4293-94d4-8fc978cb1cd7)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Kivars - S0437 (b2d134a1-7bd5-4293-94d4-8fc978cb1cd7)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Kivars - S0437 (b2d134a1-7bd5-4293-94d4-8fc978cb1cd7)	Malware	2
Kivars - S0437 (b2d134a1-7bd5-4293-94d4-8fc978cb1cd7)	Malware	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Kivars - S0437 (b2d134a1-7bd5-4293-94d4-8fc978cb1cd7)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Digital Certificates - T1588.004 (19401639-28d0-4c3c-adcc-bc2ba22f6421)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Right-to-Left Override - T1036.002 (77eae145-55db-4519-8ae5-77b0c7215d69)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6)	Attack Pattern	3
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19)	Attack Pattern	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	3
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3