APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	RAPIDPULSE - S1113 (880f7b3e-ad27-4158-8b03-d44c9357950b)	Malware	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969)	Attack Pattern	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	1
Botnet - T1583.005 (31225cd3-cd46-4575-b287-c2c14011c074)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	1
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Skeleton Key - S0007 (89f63ae4-f229-4a5c-95ad-6f22ed2b5c49)	Malware	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	PULSECHECK - S1108 (9a097d18-d15f-4635-a4f1-189df7efdc40)	Malware	1
netstat - S0104 (4664b683-f578-434f-919b-1c1aad2a1111)	mitre-tool	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
PACEMAKER - S1109 (647215dd-29a6-4528-b354-ca8b5e08fca1)	Malware	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	APT5 - G1023 (c1aab4c9-4c34-4f4f-8541-d529e46a07f9)	Intrusion Set	1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	2
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49)	Attack Pattern	2
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd)	Attack Pattern	2
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
RAPIDPULSE - S1113 (880f7b3e-ad27-4158-8b03-d44c9357950b)	Malware	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	RAPIDPULSE - S1113 (880f7b3e-ad27-4158-8b03-d44c9357950b)	Malware	2
RAPIDPULSE - S1113 (880f7b3e-ad27-4158-8b03-d44c9357950b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
RAPIDPULSE - S1113 (880f7b3e-ad27-4158-8b03-d44c9357950b)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Botnet - T1583.005 (31225cd3-cd46-4575-b287-c2c14011c074)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	2
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f)	Tool	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Skeleton Key - S0007 (89f63ae4-f229-4a5c-95ad-6f22ed2b5c49)	Malware	Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
SLIGHTPULSE - S1110 (d1008b78-960c-4b36-bdc4-39a734e1e4e3)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
PULSECHECK - S1108 (9a097d18-d15f-4635-a4f1-189df7efdc40)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	PULSECHECK - S1108 (9a097d18-d15f-4635-a4f1-189df7efdc40)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	PULSECHECK - S1108 (9a097d18-d15f-4635-a4f1-189df7efdc40)	Malware	2
PULSECHECK - S1108 (9a097d18-d15f-4635-a4f1-189df7efdc40)	Malware	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	2
netstat - S0104 (4664b683-f578-434f-919b-1c1aad2a1111)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
PcShare - S1050 (3a53b207-aba2-4a2b-9cdb-273d633669e7)	mitre-tool	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	PACEMAKER - S1109 (647215dd-29a6-4528-b354-ca8b5e08fca1)	Malware	2
PACEMAKER - S1109 (647215dd-29a6-4528-b354-ca8b5e08fca1)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
PACEMAKER - S1109 (647215dd-29a6-4528-b354-ca8b5e08fca1)	Malware	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	2
PACEMAKER - S1109 (647215dd-29a6-4528-b354-ca8b5e08fca1)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
PACEMAKER - S1109 (647215dd-29a6-4528-b354-ca8b5e08fca1)	Malware	Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f)	Attack Pattern	2
PACEMAKER - S1109 (647215dd-29a6-4528-b354-ca8b5e08fca1)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	3
Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	3
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	3
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	3
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0)	Attack Pattern	3
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	3
Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	3
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f)	Attack Pattern	3
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	4
Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	4
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	5
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	5