Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf)	mitre-tool	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Web Services - T1584.006 (ae797531-3219-49a4-bccf-324ad7a4c7b2)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Earth Lusca - G1006 (cc613a49-9bfa-4e22-98d1-15ffbb03f034)	Intrusion Set	1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	2
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf)	mitre-tool	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf)	mitre-tool	2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	2
Web Services - T1584.006 (ae797531-3219-49a4-bccf-324ad7a4c7b2)	Attack Pattern	Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	2
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2)	Attack Pattern	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5)	Attack Pattern	Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	2
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	2
Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Winnti for Linux - S0430 (8787e86d-8475-4f13-acea-d33eb83b6105)	Malware	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	3
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2)	Attack Pattern	3
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	3
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	3
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	3
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3