Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	1
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	LOTUS PANDA (32fafa69-fe3c-49db-afd4-aac2664bcf0d)	Threat Actor	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	1
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47)	mitre-tool	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Elise (3477a25d-e04b-475e-8330-39f66c10cc01)	Malpedia	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Elise Backdoor (d70fd29d-590e-4ed5-b72f-6ce0142019c6)	Tool	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
Raspberry Typhoon (37f012df-54d8-4b3d-a288-af47240430ea)	Threat Actor	LOTUS PANDA (32fafa69-fe3c-49db-afd4-aac2664bcf0d)	Threat Actor	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47)	mitre-tool	2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	2
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	2
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b)	Attack Pattern	2
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	2
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Elise (3477a25d-e04b-475e-8330-39f66c10cc01)	Malpedia	Elise Backdoor (d70fd29d-590e-4ed5-b72f-6ce0142019c6)	Tool	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6)	Attack Pattern	3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	3
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	3
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	3