Skip to content

Hide Navigation Hide TOC

INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1)

INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.(Citation: Bleeping Computer INC Ransomware March 2024)(Citation: Cybereason INC Ransomware November 2023)(Citation: Secureworks GOLD IONIC April 2024)(Citation: SentinelOne INC Ransomware)

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 1
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) Attack Pattern 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 1
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set 1
INC Ransom - G1032 (cb41e991-65f4-4668-a65f-f4200545b5a1) Intrusion Set Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Device Driver Discovery - T1652 (215d9700-5881-48b8-8265-6449dbb7195d) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 2
INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware 2
INC Ransomware - S1139 (f25d4207-25b2-4bb0-a17a-403943c670ad) Malware Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68) mitre-tool Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79) mitre-tool 2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern esentutl - S0404 (c256da91-6dd5-40b2-beeb-ee3b22ab3d27) mitre-tool 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 3
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 3
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 3
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 3