Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)

Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	1
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	1
Ember Bear - G1003 (a7f57cc1-4540-4429-823f-f4e56b8473c9)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	2
WhisperGate - S0689 (49fee0b0-390e-4bde-97f8-97ed46bd19b7)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	OutSteel - S1017 (c113230f-f044-423b-af63-9b63c802f5ae)	Malware	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Saint Bot - S1018 (7724581b-06ff-4d2b-b77c-80dc8d53070b)	Malware	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Disk Structure Wipe - T1561.002 (0af0ca99-357d-4ba1-805f-674fdfb7bef9)	Attack Pattern	Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	3
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107)	Attack Pattern	3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac)	Attack Pattern	Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	3
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3