Skip to content

Hide Navigation Hide TOC

Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f) mitre-tool Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Web Services - T1584.006 (ae797531-3219-49a4-bccf-324ad7a4c7b2) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034) Intrusion Set 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f) mitre-tool 2
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f) mitre-tool Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f) mitre-tool System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool 2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc) Malware 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Web Services - T1584.006 (ae797531-3219-49a4-bccf-324ad7a4c7b2) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern 2
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b) Attack Pattern Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 2
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616) Malware 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware 2
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware 2
Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105) Malware 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern 3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 3
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 3
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 3
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3