Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.(Citation: 401 TRG Winnti Umbrella May 2018)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	1
Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	1
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	2
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1)	Malpedia	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c)	Tool	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	2
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	3
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	3
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39)	Attack Pattern	3
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	Build social network persona - T1341 (9108e212-1c94-4f8d-be76-1aad9b4c86a4)	Attack Pattern	3
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	Develop social network persona digital footprint - T1342 (271e6d40-e191-421a-8f87-a8102452c201)	Attack Pattern	3
APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	3
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	3
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	3
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c)	Tool	Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1)	Malpedia	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	3
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	3
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39)	Attack Pattern	Obfuscate infrastructure - T1309 (e6ca2820-a564-4b74-b42a-b6bdf052e5b6)	Attack Pattern	4
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	4
Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	4
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	4
Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6)	Tool	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	4
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	4
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d)	Malpedia	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f)	Malpedia	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	4
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	4
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	4
ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c)	Tool	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	4
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5)	Malpedia	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	4
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	4
DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3)	Attack Pattern	4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	4
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	4
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	4
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f)	Tool	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	4
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	5
HiKit (35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1)	Malpedia	Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6)	Tool	5
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	5
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	5
Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d)	Malpedia	Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	5
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f)	Malpedia	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	5
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	5
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	5
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5)	Malpedia	Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c)	Tool	5
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	5
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	5
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	5
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	5
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	5
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	5
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	5
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	5
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	5
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	5
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	5
Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	6
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	7
Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	7